Book Software Ex Series 96 All

JUNOS Software Guide for EX Series Ethernet Switches
Complete Software Guide for JUNOS Software for EX Series

Ethernet Switches, Release 9.6
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Revision R1
Published: 2009-08-05
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOS Software Guide for EX Series Ethernet Switches Complete Software Guide for JUNOS Software for EX Series Ethernet Switches, Release 9.6
Copyright 2009, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Appumon Joseph, Aviva Garrett, Bhargava Y P, Brian Deutscher, Greg Houde, Hareesh Kumar K N, Hemraj Rao S, Janet Bein, Katherine Kearns,
Keldyn West, Praveen G R, Regina Roman, Shikha Kalra, Tim Harrington, Vinita Kurup
Editing: Cindy Martin, Rajan V K
Illustration: Faith Bradford Brown
Cover Design: Christine Nay
Revision History
5 August 2009Revision 1
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
ii
END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer)
(collectively, the Parties).
2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgrades and new releases of such software. Embedded
Software means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
iii
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.
7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers
possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under this
Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customers ability to export the Software without an export license.
12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
iv
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout
avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
vi
Table of Contents
About This Topic Collection
lv
How to Use This Guide ...................................................................................lv

List of EX Series Guides for JUNOS Release 9.6 ...............................................lv
Downloading Software ..................................................................................lvii
Documentation Symbols Key ........................................................................lvii
Documentation Feedback ..............................................................................lix
Requesting Technical Support ........................................................................lix
Self-Help Online Tools and Resources .....................................................lix
Opening a Case with JTAC .......................................................................lx
Part 1
JUNOS Software for EX Series Switches Product Overview
Chapter 1
Product Overview
Software Overview ..........................................................................................3

EX Series Switch Software Features Overview ..........................................3
Layer 3 Protocols Supported on EX Series Switches ................................12
Layer 3 Protocols Not Supported on EX Series Switches .........................13
Security Features for EX Series Switches Overview .................................15
High Availability Features for EX Series Switches Overview ....................17
VRRP ................................................................................................17
Graceful Protocol Restart ..................................................................19
EX4200 Redundant Routing Engines ................................................20
EX4200 Graceful Routing Engine Switchover ...................................20
EX4200 Virtual Chassis Software Upgrade and Failover
Features .....................................................................................21
Link Aggregation ..............................................................................21
Additional High Availability Features of EX Series Switches ..............21
Understanding Software Infrastructure and Processes ............................22
Routing Engine and Packet Forwarding Engine ................................22
JUNOS Software Processes ...............................................................23
Supported Hardware .....................................................................................24
EX3200 and EX4200 Switches Hardware Overview ................................24
EX3200 and EX4200 Switch Types ..................................................24
EX3200 Switches ..............................................................................25
EX4200 Switches ..............................................................................25
Table of Contents
vii
Complete Software Guide for JUNOS Software for EX Series Ethernet Switches, Release 9.6
Uplink Modules ................................................................................26

Power over Ethernet (PoE) Ports ......................................................26
EX3200 Switch Models ...........................................................................26
EX4200 Switch Models ...........................................................................27
EX8208 Switch Hardware Overview .......................................................27
Software ...........................................................................................28
Chassis Physical Specifications .........................................................28
Routing Engines and Switch Fabric ..................................................29
Line Cards ........................................................................................30
Cooling System ................................................................................30
Power Supplies .................................................................................30
EX8216 Switch Hardware Overview .......................................................31
Software ...........................................................................................31
Chassis Physical Specifications, LCD Panel, and Midplane ................31
Routing Engines and Switch Fabric ..................................................33
Line Cards ........................................................................................34
Cooling System ................................................................................34
Power Supplies .................................................................................35
Part 2
Complete Software Configuration Statement Hierarchy
Chapter 2
39
[edit access] Configuration Statement Hierarchy ...........................................39

[edit chassis] Configuration Statement Hierarchy ..........................................40
[edit class-of-service] Configuration Statement Hierarchy ..............................40
[edit ethernet-switching-options] Configuration Statement Hierarchy ............42
[edit firewall] Configuration Statement Hierarchy .........................................44
[edit forwarding options] Configuration Statement Hierarchy .......................44
[edit interfaces] Configuration Statement Hierarchy ......................................45
[edit poe] Configuration Statement Hierarchy ...............................................46
[edit protocols] Configuration Statement Hierarchy .......................................47
[edit snmp] Configuration Statement Hierarchy ............................................52
[edit virtual-chassis] Configuration Statement Hierarchy ...............................53
[edit vlans] Configuration Statement Hierarchy .............................................53
Part 3
Software User Interfaces
Chapter 3
JUNOS Command-Line Interface
57
CLI User Interface Overview ..........................................................................57

CLI Overview ..........................................................................................57
CLI Help and Command Completion ......................................................57
CLI Command Modes .............................................................................58
viii
Table of Contents
Table of Contents
Chapter 4
J-Web Graphical User Interface
61
J-Web User Interface for EX Series Switches Overview ..................................61

Using the CLI Viewer in the J-Web Interface to View Configuration Text .......63
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration
Text ........................................................................................................63
Using the CLI Editor in the J-Web Interface to Edit Configuration Text ..........65
Using the CLI Terminal ..................................................................................66
Understanding J-Web Configuration Tools .....................................................66
Starting the J-Web Interface ..........................................................................68
Dashboard for EX Series Switches .................................................................68
System Information Panel ......................................................................69
Health Status Panel .................................................................................69
Capacity Utilization Panel .......................................................................70
Alarms Panel ..........................................................................................70
Chassis Viewer ........................................................................................72
Understanding J-Web User Interface Sessions ...............................................76
Part 4
Initial Configuration, Software Installation, and Upgrades
Chapter 5
Initial Configuration
79
Connecting and Configuring an EX Series Switch (CLI Procedure) .................79

Connecting and Configuring an EX Series Switch (J-Web Procedure) .............81
Chapter 6
Software Installation
85
Software Installation ......................................................................................85

Understanding Software Installation on EX Series Switches ....................85
Overview of the Software Installation Process ..................................86
Software Package Security ................................................................86
Installing Software on a Virtual Chassis ............................................86
Installing Software on EX8200 Switches with Redundant Routing
Engines ......................................................................................86
Installing Software Using Automatic Software Download .................87
Troubleshooting Software Installation ..............................................87
JUNOS Software Package Names ............................................................87
Downloading Software Packages from Juniper Networks ........................88
Installing Software on an EX Series Switch with a Single Routing Engine
(CLI Procedure) .................................................................................89
Installing Software on an EX8200 Switch with Redundant Routing
Engines (CLI Procedure) ...................................................................90
Preparing the Switch for the Software Installation ............................90
Installing Software on the Backup Routing Engine ............................92
Table of Contents
ix
Installing Software on the Default Master Routing Engine ................93

Returning Routing Control to the Default Master Routing Engine
(Optional) ...................................................................................94
Installing Software on EX Series Switches (J-Web Procedure) ..................94
Installing Software Upgrades from a Server ......................................95
Installing Software Upgrades by Uploading Files ..............................95
Booting an EX Series Switch Using a Software Package Stored on a USB
Flash Drive .......................................................................................97
Troubleshooting Software Installation .....................................................98
Recovering from a Failed Software Upgrade on an EX Series
Switch ........................................................................................98
Rebooting from the Inactive Partition ...............................................99
Upgrading Software Using Automatic Software Download on EX Series
Switches .........................................................................................100
Verifying That Automatic Software Download Is Working Correctly .....101
Chapter 7
Configuration File Management
103
Understanding Configuration Files for EX Series Switches ...........................103

Configuration Files Terms ...........................................................................104
Understanding Autoinstallation of Configuration Files on EX Series
Switches ...............................................................................................105
Typical Uses for Autoinstallation ...........................................................105
Autoinstallation Configuration Files and IP Addresses ...........................105
Typical Autoinstallation Process on a New Switch .................................106
Managing Configuration Files Through the Configuration History (J-Web
Procedure) ............................................................................................107
Displaying Configuration History ..........................................................107
Displaying Users Editing the Configuration ...........................................108
Comparing Configuration Files with the J-Web Interface .......................109
Downloading a Configuration File with the J-Web Interface ..................109
Loading a Previous Configuration File with the J-Web Interface ............109
Uploading a Configuration File (CLI Procedure) ...........................................110
Uploading a Configuration File (J-Web Procedure) .......................................111
Loading a Previous Configuration File (CLI Procedure) ................................112
Configuring Autoinstallation of Configuration Files (CLI Procedure) .............113
Verifying Autoinstallation Status on an EX Series Switch .............................114
EX3200 and EX4200 Default Configuration ................................................115
EX8200 Switch Default Configuration .........................................................119
Table of Contents
Table of Contents
Chapter 8
Licenses
121
Software Licenses for the EX Series Switch Overview ..................................121

License Key Components for the EX Series Switch ......................................122
Managing Licenses for the EX Series Switch (CLI Procedure) .......................122
Adding New Licenses ............................................................................123
Deleting Licenses ..................................................................................124
Saving License Keys ..............................................................................124
Managing Licenses for the EX Series Switch (J-Web Procedure) ...................124
Adding New Licenses ............................................................................124
Deleting Licenses ..................................................................................125
Displaying License Keys ........................................................................125
Downloading Licenses ..........................................................................125
Monitoring Licenses for the EX Series Switch ..............................................126
Displaying Installed Licenses and License Usage Details .......................126
Displaying License Usage ......................................................................126
Displaying Installed License Keys .........................................................127
Registering the EX Series Switch with the J-Web Interface ..........................127
Part 5
System Basics
Chapter 9
Understanding Basic System Concepts
131
Understanding Alarm Types and Severity Levels on EX Series Switches ......131

Chapter 10
Configuring Basic System Functions
133
Configuring Management Access for the EX Series Switch (J-Web

Procedure) ............................................................................................133
Configuring Date and Time for the EX Series Switch (J-Web Procedure) ......135
Generating SSL Certificates to Be Used for Secure Web Access ...................136
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI
Procedure) ............................................................................................137
Chapter 11
Administering and Monitoring Basic System Functions
139
Monitoring Hosts Using the J-Web Ping Host Tool .......................................139

Monitoring Switch Control Traffic ................................................................141
Monitoring Network Traffic Using Traceroute ..............................................143
Monitoring System Properties .....................................................................145
Table of Contents
xi
Monitoring System Process Information ......................................................146

Rebooting or Halting the EX Series Switch (J-Web Procedure) .....................147
Managing Users (J-Web Procedure) ..............................................................148
Managing Log, Temporary, and Crash Files on the Switch (J-Web
Procedure) ............................................................................................150
Cleaning Up Files ..................................................................................150
Downloading Files ................................................................................151
Deleting Files ........................................................................................151
Setting or Deleting the Rescue Configuration (CLI Procedure) .....................152
Setting or Deleting the Rescue Configuration (J-Web Procedure) .................153
Reverting to the Rescue Configuration for the EX Series Switch ..................154
Reverting to the Default Factory Configuration for the EX Series Switch .....154
Reverting to the Default Factory Configuration by Using the LCD
Panel ..............................................................................................155
Reverting to the Default Factory Configuration by Using the Load Factory
Default Command ..........................................................................156
Checking Active Alarms with the J-Web Interface ........................................156
Monitoring Chassis Alarms for an EX8200 Switch .......................................157
Monitoring System Log Messages ................................................................160
Chapter 12
Troubleshooting Basic System Functions
165
Troubleshooting Loss of the Root Password ................................................165

Chapter 13
Operational Mode Commands for Basic System Functions
169
clear snmp rmon history .............................................................................170

show snmp rmon history ............................................................................171
Part 6
Virtual Chassis
Chapter 14
Understanding Virtual Chassis
177
Virtual Chassis Overview .............................................................................177

Basic Configuration of a Virtual Chassis with Master and Backup
Switches .........................................................................................178
Expanding ConfigurationsWithin a Single Wiring Closet and Across
Wiring Closets ................................................................................178
Global Management of Member Switches in a Virtual Chassis ...............178
High Availability Through Redundant Routing Engines .........................179
Adaptability as an Access Switch or Distribution Switch .......................179
Understanding Virtual Chassis Components ................................................180
Virtual Chassis Ports (VCPs) ..................................................................180
Master Role ...........................................................................................180
Backup Role ..........................................................................................181
Linecard Role ........................................................................................181
Member Switch and Member ID ...........................................................182
xii
Table of Contents
Table of Contents
Mastership Priority ................................................................................182

Virtual Chassis Identifier (VCID) ............................................................183
Understanding How the Master in a Virtual Chassis Configuration Is
Elected ..................................................................................................184
Understanding Software Upgrade in a Virtual Chassis Configuration ...........184
Understanding Global Management of a Virtual Chassis Configuration ........185
Understanding Nonvolatile Storage in a Virtual Chassis Configuration .........188
Nonvolatile Memory Features ...............................................................188
Understanding the High-Speed Interconnection of the Virtual Chassis
Members ..............................................................................................188
Understanding Virtual Chassis Configurations and Link Aggregation ...........188
Understanding Virtual Chassis Configuration ...............................................190
Understanding Virtual Chassis EX4200 Switch Version Compatibility .........191
Understanding Fast Failover in a Virtual Chassis Configuration ...................191
Supported Topologies for Fast Failover .................................................192
How Fast Failover Works ......................................................................192
Fast Failover in a Ring Topology using Dedicated VCPs ..................192
Fast Failover in a Ring Topology Using Uplink Module VCPs ..........194
Fast Failover in a Virtual Chassis Configuration Using Multiple Ring
Topologies ...............................................................................196
Effects of Topology Changes on a Fast Failover Configuration ..............197
Understanding Split and Merge in a Virtual Chassis Configuration ...............198
What Happens When a Virtual Chassis Configuration Splits ..................198
Merging Virtual Chassis Configurations .................................................199
Chapter 15
Examples of Configuring Virtual Chassis
203
Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet ........................................................................................203
Example: Expanding a Virtual Chassis Configuration in a Single Wiring
Closet ....................................................................................................208
Example: Setting Up a Multimember Virtual Chassis Access Switch with a
Default Configuration ............................................................................214
Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring
Closets ..................................................................................................219
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a
Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................227
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP
Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................234
Example: Configuring a Virtual Chassis Using a Preprovisioned Configuration
File ........................................................................................................239
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic
When a Virtual Chassis Member Switch or Inter-Member Link Fails .....250
Example: Assigning the Virtual Chassis ID to Determine Precedence During
a Virtual Chassis Merge .........................................................................254
Example: Configuring Link Aggregation Groups Using Uplink Virtual Chassis
Ports .....................................................................................................256
Table of Contents
xiii
Chapter 16
Configuring Virtual Chassis
265
Configuring a Virtual Chassis (CLI Procedure) ..............................................265

Configuring a Virtual Chassis with a Preprovisioned Configuration
File .................................................................................................266
Configuring a Virtual Chassis with a Nonprovisioned Configuration
File .................................................................................................267
Configuring a Virtual Chassis (J-Web Procedure) ..........................................268
Adding a New Switch to an Existing Virtual Chassis Configuration (CLI
Procedure) ............................................................................................270
Adding a New Switch to an Existing Virtual Chassis Configuration Within
the Same Wiring Closet ..................................................................270
Adding a New Switch from a Different Wiring Closet to an Existing Virtual
Chassis Configuration .....................................................................271
Adding a New Switch to an Existing Preprovisioned Virtual Chassis
Configuration Using Autoprovisioning ............................................273
Configuring Mastership of the Virtual Chassis (CLI Procedure) .....................274
Configuring Mastership Using a Preprovisioned Configuration File .......274
Configuring Mastership Using a Configuration File That Is Not
Preprovisioned ...............................................................................275
Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) ......276
Setting an Uplink VCP Between Two Member Switches ........................277
Setting an Uplink VCP on a Standalone Switch .....................................278
Configuring the Virtual Management Ethernet Interface for Global
Management of a Virtual Chassis (CLI Procedure) .................................279
Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) ...........................280
Configuring Fast Failover in a Virtual Chassis Configuration ........................281
Disabling Fast Failover in a Virtual Chassis Configuration ............................282
Assigning the Virtual Chassis ID to Determine Precedence During a Virtual
Chassis Merge (CLI Procedure) ..............................................................283
Disabling Split and Merge in a Virtual Chassis Configuration (CLI
Procedure) ............................................................................................283
Chapter 17
Verifying Virtual Chassis
285
Command Forwarding Usage with a Virtual Chassis Configuration .............285

Verifying the Member ID, Role, and Neighbor Member Connections of a
Virtual Chassis Member ........................................................................288
Verifying That the Virtual Chassis Ports Are Operational .............................289
Monitoring Virtual Chassis Configuration Status and Statistics .....................291
Replacing a Member Switch of a Virtual Chassis Configuration (CLI
Procedure) ............................................................................................292
Remove, Repair, and Reinstall the Same Switch ...................................293
Remove a Member Switch, Replace with a Different Switch, and Reapply
the Old Configuration .....................................................................293
Remove a Member Switch and Make Its Member ID Available for
Reassignment to a Different Switch ................................................294
xiv
Table of Contents
Table of Contents
Chapter 18
Troubleshooting Virtual Chassis
295
Troubleshooting a Virtual Chassis Configuration ..........................................295

Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment .................................................................................295
Load Factory Default Does Not Commit on a Multimember Virtual
Chassis ...........................................................................................295
Member ID Persists When a Member Switch Is Disconnected From a
Virtual Chassis ................................................................................296
Chapter 19
Configuration Statements for Virtual Chassis
297
[edit virtual-chassis] Configuration Statement Hierarchy .............................297

fast-failover .................................................................................................298
id .................................................................................................................299
mac-persistence-timer .................................................................................299
mastership-priority ......................................................................................300
member ......................................................................................................301
no-management-vlan ..................................................................................302
no-split-detection .........................................................................................303
preprovisioned ............................................................................................304
role ..............................................................................................................305
serial-number ..............................................................................................306
traceoptions ................................................................................................307
virtual-chassis ..............................................................................................309
Chapter 20
Operational Mode Commands for Virtual Chassis
311
clear virtual-chassis vc-port statistics ...........................................................312

request session member .............................................................................313
request virtual-chassis recycle .....................................................................314
request virtual-chassis renumber .................................................................315
request virtual-chassis vc-port .....................................................................316
request virtual-chassis vc-port .....................................................................317
show system uptime ...................................................................................318
show virtual-chassis active topology ............................................................320
show virtual-chassis fast-failover .................................................................322
show virtual-chassis status ..........................................................................323
show virtual-chassis vc-path ........................................................................325
show virtual-chassis vc-port .........................................................................327
show virtual-chassis vc-port statistics ..........................................................330
Table of Contents
xv
Part 7
Interfaces
Chapter 21
Understanding Interfaces
339
EX Series Switches Interfaces Overview ......................................................339

Network Interfaces ...............................................................................339
Special Interfaces ..................................................................................340
Understanding Interface Naming Conventions on EX Series Switches .........341
Physical Part of an Interface Name .......................................................341
Logical Part of an Interface Name .........................................................342
Wildcard Characters in Interface Names ...............................................343
Understanding Aggregated Ethernet Interfaces and LACP ...........................343
Link Aggregation Group (LAG) ...............................................................343
Link Aggregation Control Protocol (LACP) .............................................344
Understanding Layer 3 Subinterfaces ..........................................................345
Understanding Unicast RPF for EX Series Switches .....................................346
Unicast RPF for EX Series Switches Overview .......................................346
Unicast RPF Implementation for EX Series Switches .............................347
Global Unicast RPF Implementation ...............................................347
Unicast RPF Packet Filtering ...........................................................347
Bootstrap Protocol (BOOTP) and DHCP Requests ...........................347
Default Route Handling ..................................................................347
When to Enable Unicast RPF ................................................................348
When Not to Enable Unicast RPF ..........................................................349
ECMP Traffic Handling with Unicast RPF Enabled .................................350
Chapter 22
Examples of Configuring Interfaces
351
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a

Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................351
Switch ...................................................................................................357
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and
an Access Switch ..................................................................................363
Example: Configuring Unicast RPF on an EX Series Switch .........................371
Chapter 23
Configuring Interfaces
377
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................377

Configuring Gigabit Ethernet Interfaces (CLI Procedure) ..............................383
Configuring VLAN Options and Port Mode ............................................383
Configuring the Link Settings ................................................................384
Configuring the IP Options ....................................................................385
Configuring the Interfaces on the Uplink Module in EX3200 and EX4200
Switches .........................................................................................385
Configuring Aggregated Ethernet Interfaces (CLI Procedure) .......................386
Configuring Aggregated Ethernet Interfaces (J-Web Procedure) ...................387
xvi
Table of Contents
Table of Contents
Configuring Aggregated Ethernet LACP (CLI Procedure) ..............................389

Configuring Unicast RPF (CLI Procedure) .....................................................390
Disabling Unicast RPF (CLI Procedure) ........................................................391
Setting the Mode on an SFP+ Uplink Module (CLI Procedure) ....................392
Chapter 24
Verifying Interfaces
395
Monitoring Interface Status and Traffic .......................................................395

Verifying the Status of a LAG Interface ........................................................396
Verifying That LACP Is Configured Correctly and Bundle Members Are
Exchanging LACP Protocol Packets .......................................................397
Verifying the LACP Setup ......................................................................397
Verifying That the LACP Packets Are Being Exchanged .........................397
Verifying That Layer 3 Subinterfaces Are Working ......................................398
Verifying Unicast RPF Status .......................................................................399
Chapter 25
Troubleshooting Interfaces
403
Troubleshooting an Aggregated Ethernet Interface ......................................403

Troubleshooting Network Interfaces on EX3200 and EX4200 Switches ......404
The interface on one of the last four built-in network ports in an EX3200
switch (for example, interface ge-0/0/23) is down ..........................404
The interface on the port in which an SFP or SFP+ transceiver is installed
in an SFP+ uplink module is down ................................................404
Port Role Configuration with the J-Web Interface (with CLI References) ......405
Troubleshooting Interface Configuration and Cable Faults ...........................409
Interface Configuration or Connectivity Is Not Working ........................409
Troubleshooting Unicast RPF .......................................................................410
Legitimate Packets Are Discarded .........................................................410
Troubleshooting Uplink Module Installation or Replacement on EX3200 and
EX4200 Switches ..................................................................................411
Switch does not detect the uplink module installed in the switch ..........411
Virtual Chassis port (VCP) connection does not work ............................411
One of the last four network ports on an EX3200 switch with an SFP or
SFP+ uplink module installed is disabled ......................................411
Chapter 26
Configuration Statements for Interfaces
413
Interface Configuration Statement Hierarchy ..............................................413

[edit chassis] Configuration Statement Hierarchy .................................413
[edit interfaces] Configuration Statement Hierarchy .............................413
Individual Interface Configuration Statements .............................................415
802.3ad ................................................................................................415
aggregated-devices ...............................................................................416
aggregated-ether-options ......................................................................417
auto-negotiation ....................................................................................418
chassis ..................................................................................................419
description ............................................................................................420
device-count .........................................................................................421
Table of Contents
xvii
ether-options ........................................................................................422
family ccc .............................................................................................423
family ethernet-switching .....................................................................424
family mpls ...........................................................................................425
filter ......................................................................................................426
flow-control ..........................................................................................427
lacp .......................................................................................................428
link-mode .............................................................................................429
members ..............................................................................................430
mtu .......................................................................................................431
native-vlan-id ........................................................................................432
periodic ................................................................................................433
port-mode .............................................................................................434
rpf-check ...............................................................................................435
speed ....................................................................................................436
unit .......................................................................................................437
vlan .......................................................................................................438
vlan-id ...................................................................................................439
vlan-tagging ..........................................................................................440
Chapter 27
Operational Mode Commands for Interfaces
441
show interfaces ge- ......................................................................................442

show interfaces xe- .....................................................................................453
Part 8
Layer 2 Bridging, VLANs, and Spanning Trees
Chapter 28
Understanding Layer 2 Bridging, VLANs, and GVRP
467
Understanding Bridging and VLANs on EX Series Switches .........................467

Ethernet LANs, Transparent Bridging, and VLANs .................................467
How Bridging Works .............................................................................468
Types of Switch Ports ...........................................................................470
IEEE 802.1Q Encapsulation and Tags ...................................................470
Assignment of Traffic to VLANs ............................................................470
Ethernet Switching Tables .....................................................................471
Layer 2 and Layer 3 Forwarding of VLAN Traffic ..................................471
GVRP ....................................................................................................471
Routed VLAN Interface .........................................................................472
Understanding Redundant Trunk Links on EX Series Switches ....................473
Understanding Storm Control on EX Series Switches ..................................475
Understanding Virtual Routing Instances on EX Series Switches .................476
Understanding Q-in-Q Tunneling on EX Series Switches .............................477
How Q-in-Q Tunneling Works ...............................................................477
Disabling MAC Address Learning ..........................................................478
Mapping C-VLANs to S-VLANs ...............................................................478
All-in-One Bundling ...............................................................................478
Many-to-One Bundling ..........................................................................479
xviii
Table of Contents
Table of Contents
Mapping a Specific Interface .................................................................479

Routed VLAN Interfaces on Q-in-Q VLANs ............................................479
Limitations for Q-in-Q Tunneling ..........................................................479
Understanding Unknown Unicast Forwarding on EX Series Switches ..........480
Understanding Private VLANs on EX Series Switches ..................................480
Chapter 29
Examples of Configuring Layer 2 Bridging, VLANs, and GVRP
483
Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch ....483
Example: Setting Up Bridging with Multiple VLANs for EX Series
Switches ...............................................................................................490
Example: Connecting an Access Switch to a Distribution Switch .................498
Example: Configure Automatic VLAN Administration Using GVRP ..............508
Example: Configuring Redundant Trunk Links for Faster Recovery .............523
Example: Configuring Storm Control to Prevent Network Outages on EX
Series Switches .....................................................................................527
Example: Setting Up Q-in-Q Tunneling on EX Series Switches .....................530
Example: Configuring a Private VLAN on an EX Series Switch .....................533
Example: Using Virtual Routing Instances to Route Among VLANs on EX
Series Switches .....................................................................................538
Chapter 30
Configuring Layer 2 Bridging, VLANs, and GVRP
543
Configuring VLANs for EX Series Switches (J-Web Procedure) .....................543

Configuring VLANs for EX Series Switches (CLI Procedure) .........................546
Configuring Routed VLAN Interfaces (CLI Procedure) ..................................547
Creating a Series of Tagged VLANs (CLI Procedure) .....................................549
Creating a Private VLAN (CLI Procedure) .....................................................550
Configuring Q-in-Q Tunneling (CLI Procedure) .............................................551
Configuring Virtual Routing Instances (CLI Procedure) ................................552
Configuring MAC Table Aging (CLI Procedure) .............................................553
Configuring the Native VLAN Identifier (CLI Procedure) ...............................554
Configuring Unknown Unicast Forwarding (CLI Procedure) .........................555
Configuring GVRP (J-Web Procedure) ..........................................................555
Configuring Redundant Trunk Groups (J-Web Procedure) ............................557
Configuring Autorecovery From the Disabled State on Secure or Storm Control
Interfaces (CLI Procedure) .....................................................................558
Chapter 31
Verifying Layer 2 Bridging, VLANs, and GVRP
559
Verifying That a Series of Tagged VLANs Has Been Created ........................559

Verifying That Unknown Unicast Packets Are Forwarded to a Trunk
Interface ...............................................................................................561
Verifying That Q-in-Q Tunneling Is Working ................................................562
Verifying That a Private VLAN Is Working ...................................................562
Verifying That Virtual Routing Instances Are Working .................................564
Verifying That the Port Error Disable Setting Is Working Correctly ..............565
Monitoring Ethernet Switching ....................................................................566
Monitoring GVRP .........................................................................................567
Table of Contents
xix
Chapter 32
Troubleshooting Layer 2 Bridging, VLANs, and GVRP
569
Troubleshooting Ethernet Switching ............................................................569

MAC Address in the Switchs Ethernet Switching Table Is Not Updated
After a MAC Address Move .............................................................569
Chapter 33
Understanding Spanning Trees
571
Understanding STP for EX Series Switches ..................................................571

Understanding RSTP for EX Series Switches ................................................572
Understanding MSTP for EX Series Switches ...............................................573
Understanding VSTP for EX Series Switches ................................................574
Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series
Switches ...............................................................................................574
Understanding Loop Protection for STP, RSTP, VSTP, and MSTP on EX Series
Switches ...............................................................................................575
Understanding Root Protection for STP, RSTP, VSTP, and MSTP on EX Series
Switches ...............................................................................................576
Chapter 34
Examples of Configuring Spanning Trees
579
Example: Configuring Faster Convergence and Improving Network Stability

with RSTP on EX Series Switches ..........................................................579
Example: Configuring Network Regions for VLANs with MSTP on EX Series
Switches ...............................................................................................593
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP
Miscalculations on EX Series Switches ..................................................615
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent
STP Miscalculations on EX Series Switches ...........................................619
Example: Configuring Loop Protection to Prevent Interfaces from
Transitioning from Blocking to Forwarding in a Spanning Tree on EX
Series Switches .....................................................................................624
Example: Configuring Root Protection to Enforce Root Bridge Placement in
Spanning Trees on EX Series Switches ..................................................628
Chapter 35
Configuring Spanning Trees
635
Configuring STP (CLI Procedure) .................................................................635

Configuring Spanning-Tree Protocols (J-Web Procedure) .............................636
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) ......640
Chapter 36
Verifying Spanning Trees
641
Monitoring Spanning-Tree Protocols ............................................................641
xx
Table of Contents
Table of Contents
Chapter 37
Configuration Statements for Bridging, VLANs, and Spanning

Trees
643
[edit ethernet-switching-options] Configuration Statement Hierarchy ..........643

[edit interfaces] Configuration Statement Hierarchy ....................................645
[edit protocols] Configuration Statement Hierarchy .....................................646
[edit vlans] Configuration Statement Hierarchy ...........................................652
alarm ...........................................................................................................653
arp ..............................................................................................................654
bandwidth ...................................................................................................654
block ...........................................................................................................655
bpdu-block ..................................................................................................656
bpdu-block-on-edge .....................................................................................657
bpdu-timeout-action ....................................................................................658
bridge-priority .............................................................................................659
configuration-name .....................................................................................660
cost .............................................................................................................661
customer-vlans ............................................................................................662
description ..................................................................................................663
disable .........................................................................................................663
disable .........................................................................................................664
disable-timeout ............................................................................................665
disable-timeout ............................................................................................666
dot1q-tunneling ...........................................................................................666
dot1q-tunneling ...........................................................................................667
edge ............................................................................................................668
ethernet-switching-options ..........................................................................669
ether-type ....................................................................................................671
filter ............................................................................................................672
forward-delay ..............................................................................................673
group-name .................................................................................................674
gvrp .............................................................................................................675
hello-time ....................................................................................................676
instance-type ...............................................................................................677
interface ......................................................................................................677
interface ......................................................................................................678
interface ......................................................................................................679
interface ......................................................................................................680
interface ......................................................................................................681
interface ......................................................................................................682
interfaces ....................................................................................................683
join-timer ....................................................................................................683
l3-interface ..................................................................................................684
leaveall-timer ...............................................................................................685
leave-timer ..................................................................................................686
mac-limit .....................................................................................................686
mac-table-aging-time ...................................................................................687
max-age ......................................................................................................688
max-hops ....................................................................................................689
Table of Contents
xxi
members .....................................................................................................690
mode ...........................................................................................................691
msti .............................................................................................................692
mstp ............................................................................................................693
native-vlan-id ...............................................................................................694
no-broadcast ...............................................................................................695
no-local-switching ........................................................................................695
no-mac-learning ..........................................................................................696
no-mac-learning ..........................................................................................697
no-root-port .................................................................................................698
no-unknown-unicast ....................................................................................699
port-mode ...................................................................................................700
primary-vlan ................................................................................................701
priority ........................................................................................................702
redundant-trunk-group ................................................................................703
routing-instances .........................................................................................703
rstp ..............................................................................................................704
storm-control ..............................................................................................705
stp ...............................................................................................................706
traceoptions ................................................................................................707
unknown-unicast-forwarding .......................................................................710
vlan .............................................................................................................711
vlan .............................................................................................................712
vlan .............................................................................................................713
vlan-id .........................................................................................................714
vlan-range ...................................................................................................714
vlans ...........................................................................................................715
Chapter 38
Operational Mode Commands for Bridging, VLANs, and Spanning

Trees
717
clear ethernet-switching bpdu-error .............................................................718

clear gvrp statistics ......................................................................................719
clear spanning-tree statistics .......................................................................720
show ethernet-switching interfaces .............................................................721
show ethernet-switching mac-learning-log ...................................................724
show ethernet-switching statistics aging ......................................................726
show ethernet-switching statistics mac-learning ..........................................728
show ethernet-switching table .....................................................................731
show gvrp ...................................................................................................737
show gvrp statistics .....................................................................................739
show redundant-trunk-group .......................................................................741
show spanning-tree bridge ..........................................................................742
show spanning-tree interface ......................................................................746
show spanning-tree mstp configuration .......................................................750
show spanning-tree statistics .......................................................................751
show vlans ..................................................................................................752
xxii
Table of Contents
Table of Contents
Part 9
Layer 3 Protocols
Chapter 39
Understanding Layer 3 Protocols
763
DHCP Services for EX Series Switches Overview .........................................763

DHCP/BOOTP Relay for EX Series Switches Overview .................................764
Understanding IP Directed Broadcast for EX Series Switches ......................765
IP Directed Broadcast for EX Series Switches Overview ........................765
IP Directed Broadcast Implementation for EX Series Switches ..............765
When to Enable IP Directed Broadcast .................................................766
When Not to Enable IP Directed Broadcast ...........................................766
Chapter 40
Examples of Configuring Layer 3 Protocols
767
Example: Configuring IP Directed Broadcast on an EX Series Switch ..........767

Chapter 41
Configuring Layer 3 Protocols
771
Configuring BGP Sessions (J-Web Procedure) ...............................................771

Configuring DHCP Services (J-Web Procedure) ............................................772
Configuring an OSPF Network (J-Web Procedure) ........................................775
Configuring a RIP Network (J-Web Procedure) .............................................776
Configuring SNMP (J-Web Procedure) ..........................................................777
Configuring Static Routing (CLI Procedure) ..................................................780
Configuring Static Routing (J-Web Procedure) ..............................................781
Configuring IP Directed Broadcast (CLI Procedure) ......................................781
Chapter 42
Verifying Layer 3 Protocols
783
Monitoring BGP Routing Information ..........................................................783

Monitoring DHCP Services ..........................................................................785
Monitoring OSPF Routing Information ........................................................786
Monitoring RIP Routing Information ...........................................................788
Monitoring Routing Information ..................................................................790
Verifying IP Directed Broadcast Status ........................................................791
Part 10
IGMP Snooping and Multicast
Chapter 43
Understanding IGMP Snooping and Multicast
795
IGMP Snooping on EX Series Switches Overview ........................................795

How IGMP Snooping Works ..................................................................795
How IGMP Snooping Works with Routed VLAN Interfaces ....................796
Table of Contents
xxiii
How Hosts Join and Leave Multicast Groups .........................................799

IGMP Snooping Support for IGMPv3 .....................................................799
Understanding Multicast VLAN Registration on EX Series Switches .............800
How MVR Works ..................................................................................800
MVR Modes ....................................................................................801
Chapter 44
Examples of Configuring IGMP Snooping and Multicast
803
Example: Configuring IGMP Snooping on EX Series Switches ......................803

Example: Configuring Multicast VLAN Registration on EX Series
Switches ...............................................................................................806
Chapter 45
Configuring IGMP Snooping and Multicast
813
Configuring IGMP Snooping (CLI Procedure) ...............................................813

Configuring IGMP Snooping (J-Web Procedure) ...........................................814
Changing the IGMP Snooping Group Query Membership Timeout Value (CLI
Procedure) ............................................................................................817
Configuring Multicast VLAN Registration (CLI Procedure) ............................818
Chapter 46
Verifying IGMP Snooping and Multicast
821
Monitoring IGMP Snooping ..........................................................................821

Verifying That the IGMP Snooping Group Query Timeout Value Has Been
Changed Correctly ................................................................................822
Chapter 47
Configuration Statements for IGMP Snooping and Multicast
825

data-forwarding ...........................................................................................831
disable .........................................................................................................832
group ...........................................................................................................832
groups .........................................................................................................833
group-limit ..................................................................................................834
igmp-snooping ............................................................................................835
immediate-leave ..........................................................................................836
install ..........................................................................................................837
interface ......................................................................................................838
multicast-router-interface ............................................................................838
proxy ..........................................................................................................839
query-interval ..............................................................................................840
query-last-member-interval .........................................................................841
query-response-interval ...............................................................................842
receiver .......................................................................................................843
robust-count ................................................................................................843
source .........................................................................................................844
source-vlans ................................................................................................845
xxiv
Table of Contents
Table of Contents
traceoptions ................................................................................................846
vlan .............................................................................................................848
Chapter 48
Operational Mode Commands for IGMP Snooping and Multicast
851
clear igmp-snooping membership ...............................................................852

clear igmp-snooping statistics ......................................................................853
show igmp-snooping membership ..............................................................854
show igmp-snooping route ..........................................................................857
show igmp-snooping statistics .....................................................................859
show igmp-snooping vlans ..........................................................................860
Part 11
Access Control
Chapter 49
802.1X and MAC RADIUS Authentication Overview
865
802.1X for EX Series Switches Overview .....................................................865

How 802.1X Authentication Works .......................................................865
802.1X Features Overview ....................................................................866
Supported Features Related to 802.1X Authentication ..........................866
Understanding 802.1X Authentication on EX Series Switches .....................867
Understanding MAC RADIUS Authentication on EX Series Switches ............872
Understanding Server Fail Fallback and 802.1X Authentication on EX Series
Switches ...............................................................................................873
Understanding Dynamic VLANs for 802.1X on EX Series Switches .............874
Understanding Guest VLANs for 802.1X on EX Series Switches ...................875
Understanding 802.1X and RADIUS Accounting on EX Series Switches ......876
Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches ....877
Understanding Static MAC Bypass of Authentication on EX Series
Switches ...............................................................................................879
Understanding 802.1X and VoIP on EX Series Switches ..............................879
Understanding 802.1X and VSAs on EX Series Switches .............................882
Chapter 50
Examples of Configuring Access Control
883
Example: Connecting a RADIUS Server for 802.1X to an EX Series

Switch ...................................................................................................883
Example: Configuring 802.1X Authentication Options When the RADIUS
Server is Unavailable to an EX Series Switch .........................................888
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access
to Corporate Visitors on an EX Series Switch ........................................893
Example: Configuring Static MAC Bypass of Authentication on an EX Series
Switch ...................................................................................................897
Example: Configuring MAC RADIUS Authentication on an EX Series
Switch ...................................................................................................902
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant
Configurations on an EX Series Switch .................................................907
Table of Contents
xxv
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants

Using RADIUS Server Attributes on an EX Series Switch .......................913
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series
Switch ...................................................................................................919
Example: Configuring VoIP on an EX Series Switch Without Including 802.1X
Authentication ......................................................................................926
Example: Configuring VoIP on an EX Series Switch Without Including
LLDP-MED Support ...............................................................................932
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces
Enabled for 802.1X or MAC RADIUS Authentication .............................936
Chapter 51
Configuring Access Control
941
Specifying RADIUS Server Connections on an EX Series Switch (CLI

Procedure) ............................................................................................942
Configuring 802.1X Interface Settings (CLI Procedure) ................................943
Configuring 802.1X Authentication (J-Web Procedure) ................................944
Configuring Static MAC Bypass of Authentication (CLI Procedure) ...............947
Configuring MAC RADIUS Authentication (CLI Procedure) ...........................948
Configuring Server Fail Fallback (CLI Procedure) .........................................950
Configuring 802.1X RADIUS Accounting (CLI Procedure) ............................952
Filtering 802.1X Supplicants Using RADIUS Server Attributes .....................953
Configuring Match Statements on the RADIUS Server ...........................954
Applying a Port Firewall Filter from the RADIUS Server ........................956
Configuring LLDP (CLI Procedure) ...............................................................957
Enabling LLDP on Interfaces .................................................................957
Configuring for Fast Start ......................................................................957
Adjusting LLDP Advertisement Settings ................................................957
Configuring LLDP (J-Web Procedure) ...........................................................958
Configuring LLDP-MED (CLI Procedure) .......................................................959
Enabling LLDP-MED on Interfaces ........................................................959
Configuring Location Information Advertised by the Switch .................959
Configuring for Fast Start ......................................................................960
VSA Match Conditions and Actions for EX Series Switches ..........................960
Chapter 52
Verifying 802.1X and MAC RADIUS Authentication
963
Monitoring 802.1X Authentication ..............................................................963

Verifying 802.1X Authentication .................................................................964
Chapter 53
Configuration Statements for Access Control
967
[edit access] Configuration Statement Hierarchy .........................................967

[edit ethernet-switching-options] Configuration Statement Hierarchy ..........967
access ..........................................................................................................976
accounting ...................................................................................................977
accounting-server ........................................................................................978
accounting-stop-on-access-deny ..................................................................979
xxvi
Table of Contents
Table of Contents
accounting-stop-on-failure ...........................................................................979
advertisement-interval ................................................................................980
authentication-order ....................................................................................981
authentication-profile-name ........................................................................982
authentication-server ...................................................................................983
authenticator ...............................................................................................984
ca-type ........................................................................................................985
ca-value .......................................................................................................986
civic-based ..................................................................................................987
country-code ...............................................................................................988
disable .........................................................................................................989
disable .........................................................................................................990
disable .........................................................................................................990
dot1x ...........................................................................................................991
elin ..............................................................................................................992
ethernet-switching-options ..........................................................................993
fast-start ......................................................................................................996
forwarding-class ..........................................................................................997
guest-vlan ....................................................................................................998
hold-multiplier .............................................................................................999
interface ....................................................................................................1000
interface ....................................................................................................1001
interface ....................................................................................................1002
interface ....................................................................................................1003
interface ....................................................................................................1004
lldp ............................................................................................................1005
lldp-med ....................................................................................................1006
location .....................................................................................................1007
mac-radius ................................................................................................1008
maximum-requests ...................................................................................1009
no-reauthentication ...................................................................................1009
order .........................................................................................................1010
profile ........................................................................................................1011
quiet-period ...............................................................................................1012
radius ........................................................................................................1013
reauthentication ........................................................................................1014
retries ........................................................................................................1015
server-fail ..................................................................................................1016
server-reject-vlan .......................................................................................1017
server-timeout ...........................................................................................1018
static .........................................................................................................1019
supplicant ..................................................................................................1020
supplicant-timeout .....................................................................................1021
traceoptions ..............................................................................................1022
traceoptions ..............................................................................................1024
transmit-delay ...........................................................................................1025
transmit-period .........................................................................................1026
vlan ...........................................................................................................1027
vlan-assignment ........................................................................................1028
voip ...........................................................................................................1029
what ..........................................................................................................1030
Table of Contents
xxvii
Chapter 54
Operational Commands for 802.1X
1031
clear dot1x ................................................................................................1032

clear lldp neighbors ...................................................................................1033
clear lldp statistics .....................................................................................1034
show dot1x ...............................................................................................1035
show dot1x authentication-failed-users .....................................................1040
show dot1x static-mac-address .................................................................1041
show ethernet-switching interfaces ...........................................................1043
show lldp ...................................................................................................1046
show lldp local-info ...................................................................................1051
show lldp neighbors ..................................................................................1053
show lldp statistics ....................................................................................1056
show network-access aaa statistics accounting ..........................................1058
show network-access aaa statistics authentication ....................................1059
show network-access aaa statistics dynamic-requests ...............................1060
Part 12
Port Security
Chapter 55
Understanding Port Security
1063
Port Security for EX Series Switches Overview ..........................................1063

Understanding How to Protect Access Ports on EX Series Switches from
Common Attacks ................................................................................1065
Mitigation of Ethernet Switching Table Overflow Attacks ....................1065
Mitigation of Rogue DHCP Server Attacks ...........................................1065
Protection Against ARP Spoofing Attacks ............................................1066
Protection Against DHCP Snooping Database Alteration Attacks .........1066
Protection Against DHCP Starvation Attacks .......................................1066
Understanding DHCP Snooping for Port Security on EX Series Switches ....1067
DHCP Snooping Basics ........................................................................1067
Persistence of IP-MAC Bindings ..........................................................1068
DHCP Snooping Process .....................................................................1068
DHCP Server Access ...........................................................................1069
Switch, DHCP Clients, and DHCP Server Are All on the Same
VLAN .....................................................................................1069
Switch Acts as DHCP Server .........................................................1071
Switch Acts as Relay Agent ...........................................................1072
DHCP Snooping Table .........................................................................1073
Static IP Address Additions to the DHCP Snooping Database ..............1073
Understanding DAI for Port Security on EX Series Switches ......................1074
Address Resolution Protocol ...............................................................1074
ARP Spoofing ......................................................................................1074
DAI on EX Series Switches ..................................................................1075
xxviii
Table of Contents
Table of Contents
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX Series Switches ..............................................................................1076
MAC Limiting ......................................................................................1076
MAC Move Limiting ............................................................................1076
Actions for MAC Limiting and MAC Move Limiting .............................1077
MAC Addresses That Exceed the MAC Limit or MAC Move Limit ........1077
Understanding Trusted DHCP Servers for Port Security on EX Series
Switches .............................................................................................1078
Understanding DHCP Option 82 for Port Security on EX Series Switches ...1078
DHCP Option 82 Processing ...............................................................1079
Suboption Components of Option 82 ..................................................1079
Configurations of the EX Series Switch That Support Option 82 ..........1080
Switch and Clients Are on Same VLAN as DHCP Server ...............1080
Switch Acts as Relay Agent ...........................................................1081
Understanding IP Source Guard for Port Security on EX Series Switches ....1082
IP Address Spoofing ............................................................................1082
How IP Source Guard Works ...............................................................1082
The IP Source Guard Database ............................................................1083
Typical Uses of Other JUNOS Software Features with IP Source
Guard ...........................................................................................1083
Understanding Proxy ARP for Port Security on EX Series Switches ...........1084
What Is ARP? ......................................................................................1084
Unrestricted Proxy ARP Overview ......................................................1084
Why Disable Gratuitous ARP Requests? ..............................................1084
Chapter 56
Examples of Configuring Port Security
1087
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX Series Switch ................................1087
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC
Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks ................................................................................................1094
Example: Configuring a DHCP Server Interface as Untrusted to Protect the
Switch from Rogue DHCP Server Attacks ............................................1098
Example: Configuring MAC Limiting to Protect the Switch from DHCP
Starvation Attacks ...............................................................................1101
Example: Configuring DHCP Snooping and DAI to Protect the Switch from
ARP Spoofing Attacks .........................................................................1105
Example: Configuring Allowed MAC Addresses to Protect the Switch from
DHCP Snooping Database Alteration Attacks ......................................1109
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX
Series Switch with Access to a DHCP Server Through a Second
Switch .................................................................................................1112
Example: Configuring IP Source Guard with Other EX Series Switch Features
to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces ...1120
Example: Configuring IP Source Guard on a Data VLANThat Shares an
Interface with a Voice VLAN ...............................................................1128
Example: Setting Up DHCP Option 82 with an EX Series Switch as Relay
Agent Between Clients and a DHCP Server .........................................1135
Table of Contents
xxix
Example: Setting Up DHCP Option 82 on an EX Series Switch with No Relay

Agent Between Clients and DHCP Server ............................................1138
Example: Configuring Unrestricted Proxy ARP on an EX Series Switch .....1142
Chapter 57
Configuring Port Security
1149
Configuring Port Security (CLI Procedure) .................................................1150

Configuring Port Security (J-Web Procedure) .............................................1151
Enabling DHCP Snooping (CLI Procedure) .................................................1154
Enabling DHCP Snooping (J-Web Procedure) .............................................1155
Enabling a Trusted DHCP Server (CLI Procedure) ......................................1156
Enabling a Trusted DHCP Server (J-Web Procedure) ..................................1156
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between
Clients and DHCP Server (CLI Procedure) ...........................................1157
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients
and DHCP Server (CLI Procedure) .......................................................1160
Enabling Dynamic ARP Inspection (CLI Procedure) ...................................1163
Enabling Dynamic ARP Inspection (J-Web Procedure) ...............................1164
Configuring MAC Limiting (CLI Procedure) ................................................1165
Configuring MAC Limiting (J-Web Procedure) ............................................1167
Configuring MAC Move Limiting (CLI Procedure) .......................................1169
Configuring MAC Move Limiting (J-Web Procedure) ...................................1171
Setting the none Action on an Interface to Override a MAC Limit Applied to
All Interfaces (CLI Procedure) ..............................................................1172
Configuring IP Source Guard (CLI Procedure) ............................................1173
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI
Procedure) ..........................................................................................1175
Configuring Unrestricted Proxy ARP (CLI Procedure) .................................1176
Interfaces (CLI Procedure) ...................................................................1177
Chapter 58
Verifying Port Security
1179
Monitoring Port Security ...........................................................................1179

Verifying That DHCP Snooping Is Working Correctly .................................1180
Verifying That a Trusted DHCP Server Is Working Correctly ......................1181
Verifying That DAI Is Working Correctly ....................................................1182
Verifying That MAC Limiting Is Working Correctly ....................................1183
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
Correctly ......................................................................................1184
Verifying That Allowed MAC Addresses Are Working Correctly ...........1184
Verifying Results of Various Action Settings When the MAC Limit Is
Exceeded ......................................................................................1185
Customizing the Ethernet Switching Table Display to View Information
for a Specific Interface ..................................................................1187
Verifying That MAC Move Limiting Is Working Correctly ...........................1188
Verifying That IP Source Guard Is Working Correctly .................................1188
Verifying That the Port Error Disable Setting Is Working Correctly ............1189
Verifying That Unrestricted Proxy ARP Is Working Correctly .....................1190
xxx
Table of Contents
Table of Contents
Chapter 59
Troubleshooting Port Security
1193
Troubleshooting Port Security ...................................................................1193

No IP Address or Lease Time Is Assigned to DHCP Client MAC Addresses
in the DHCP Snooping Database ..................................................1193
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not
Listed in the Ethernet Switching Table ..........................................1194
Chapter 60
Configuration Statements for Port Security
1195
[edit ethernet-switching-options] Configuration Statement Hierarchy ........1195

[edit forwarding options] Configuration Statement Hierarchy ...................1197
action-shutdown ........................................................................................1199
allowed-mac ..............................................................................................1200
arp-inspection ...........................................................................................1201
circuit-id ....................................................................................................1202
dhcp-option82 ...........................................................................................1203
dhcp-trusted ..............................................................................................1204
disable-timeout ..........................................................................................1205
ethernet-switching-options ........................................................................1206
examine-dhcp ...........................................................................................1209
interface ....................................................................................................1210
ip-source-guard ..........................................................................................1211
mac ...........................................................................................................1212
mac-limit ...................................................................................................1213
mac-move-limit .........................................................................................1214
no-allowed-mac-log ...................................................................................1215
no-gratuitous-arp-request ..........................................................................1216
prefix ........................................................................................................1217
prefix ........................................................................................................1218
proxy-arp ..................................................................................................1219
remote-id ..................................................................................................1220
secure-access-port .....................................................................................1221
static-ip .....................................................................................................1223
traceoptions ..............................................................................................1224
use-interface-description ...........................................................................1226
use-string ..................................................................................................1227
use-vlan-id .................................................................................................1228
vendor-id ...................................................................................................1229
vlan ...........................................................................................................1230
vlan ...........................................................................................................1231
Chapter 61
Operational Mode Commands for Port Security
1233
clear arp inspection statistics .....................................................................1234

clear dhcp snooping binding .....................................................................1235
show arp inspection statistics ....................................................................1236
show dhcp snooping binding .....................................................................1237
Table of Contents
xxxi
show ethernet-switching table ...................................................................1238

show ip-source-guard ................................................................................1244
show system statistics arp .........................................................................1246
Part 13
Routing Policy and Packet Filtering (Firewall Filters)
Chapter 62
Understanding Firewall Filters
1249
Firewall Filters for EX Series Switches Overview .......................................1249

Firewall Filter Types ............................................................................1250
Firewall Filter Components .................................................................1250
Firewall Filter Processing ....................................................................1251
Understanding Planning of Firewall Filters ................................................1252
Understanding Firewall Filter Processing Points for Bridged and Routed
Packets on EX Series Switches ............................................................1254
Understanding How Firewall Filters Control Packet Flows .........................1255
Firewall Filter Match Conditions and Actions for EX Series Switches .........1256
Understanding How Firewall Filters Are Evaluated ....................................1267
Understanding Firewall Filter Match Conditions ........................................1269
Filter Match Conditions .......................................................................1269
Numeric Filter Match Conditions ........................................................1269
Interface Filter Match Conditions ........................................................1270
IP Address Filter Match Conditions .....................................................1270
MAC Address Filter Match Conditions .................................................1271
Bit-Field Filter Match Conditions .........................................................1272
Understanding How Firewall Filters Test a Packet's Protocol .....................1273
Understanding the Use of Policers in Firewall Filters .................................1274
Understanding Filter-Based Forwarding for EX Series Switches .................1274
Chapter 63
Examples of Configuring Firewall Filters
1275
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
Example: Using Filter-Based Forwarding to Route Application Traffic to a
Security Device on EX Series Switches ................................................1295
Chapter 64
Configuring Firewall Filters
1301
Configuring Firewall Filters (CLI Procedure) ...............................................1301

Configuring a Firewall Filter ................................................................1301
Applying a Firewall Filter to a Port on a Switch ...................................1304
xxxii
Table of Contents
Table of Contents
Applying a Firewall Filter to a VLAN on a Network ..............................1305

Applying a Firewall Filter to a Layer 3 (Routed) Interface ....................1305
Configuring Firewall Filters (J-Web Procedure) ..........................................1307
Configuring Policers to Control Traffic Rates (CLI Procedure) ....................1310
Configuring Policers ............................................................................1311
Specifying Policers in a Firewall Filter Configuration ...........................1312
Applying a Firewall Filter That Is Configured with a Policer ................1312
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding
Behavior (CLI Procedure) ....................................................................1313
Chapter 65
Verifying Firewall Filters
1315
Verifying That Firewall Filters Are Operational ..........................................1315

Verifying That Policers Are Operational .....................................................1316
Monitoring Firewall Filter Traffic ...............................................................1316
Monitoring Traffic for All Firewall Filters and Policers That Are Configured
on the Switch ...............................................................................1317
Monitoring Traffic for a Specific Firewall Filter ....................................1317
Monitoring Traffic for a Specific Policer ..............................................1317
Chapter 66
Troubleshooting Firewall Filters
1319
Troubleshooting Firewall Filters .................................................................1319

Firewall Filter Configuration Returns a No Space Available in TCAM
Message .......................................................................................1319
Chapter 67
Configuration Statements for Firewall Filters
1323
[edit firewall] Configuration Statement Hierarchy .....................................1323

Firewall Filter Configuration Statements Supported by JUNOS Software for
bandwidth-limit .........................................................................................1327
burst-size-limit ...........................................................................................1327
family ........................................................................................................1328
filter ..........................................................................................................1329
filter ..........................................................................................................1330
filter-specific ..............................................................................................1331
from ..........................................................................................................1331
if-exceeding ...............................................................................................1332
interface-specific .......................................................................................1332
policer .......................................................................................................1333
term ..........................................................................................................1334
then ...........................................................................................................1335
then ...........................................................................................................1336
Table of Contents
xxxiii
Chapter 68
Operational Mode Commands for Firewall Filters
1337
clear firewall ..............................................................................................1338

show firewall .............................................................................................1339
show interfaces filters ...............................................................................1342
show interfaces policers ............................................................................1344
show policer ..............................................................................................1346
Part 14
CoS
Chapter 69
Understanding CoS
1351
JUNOS CoS for EX Series Switches Overview .............................................1352

How JUNOS CoS Works ......................................................................1352
Default CoS Behavior on EX Series Switches .......................................1353
Understanding JUNOS CoS Components for EX Series Switches ................1353
Code-Point Aliases ..............................................................................1354
Policers ...............................................................................................1354
Classifiers ...........................................................................................1354
Forwarding Classes .............................................................................1354
Tail Drop Profiles ................................................................................1355
Schedulers ..........................................................................................1355
Rewrite Rules ......................................................................................1355
Understanding CoS Code-Point Aliases ......................................................1356
Default Code-Point Aliases ..................................................................1356
Understanding CoS Classifiers ...................................................................1359
Behavior Aggregate Classifiers ............................................................1359
Default Behavior Aggregate Classification .....................................1359
Multifield Classifiers ............................................................................1360
Understanding CoS Forwarding Classes .....................................................1361
Default Forwarding Classes .................................................................1361
Understanding CoS Tail Drop Profiles ........................................................1364
Understanding CoS Schedulers ..................................................................1364
Default Schedulers ..............................................................................1365
Transmission Rate ..............................................................................1365
Scheduler Buffer Size ..........................................................................1366
Priority Scheduling ..............................................................................1366
Scheduler Drop-Profile Maps ...............................................................1367
Scheduler Maps ...................................................................................1367
Understanding CoS Two-Color Marking .....................................................1367
Understanding CoS Rewrite Rules .............................................................1368
Default Rewrite Rule ...........................................................................1369
xxxiv
Table of Contents
Table of Contents
Understanding Port Shaping and Queue Shaping for CoS on EX Series

Switches .............................................................................................1370
Port Shaping .......................................................................................1370
Queue Shaping ...................................................................................1370
Understanding JUNOS EZQoS for CoS Configurations on EX Series
Switches .............................................................................................1370
Chapter 70
Examples of Configuring CoS
1373
Example: Configuring CoS on EX Series Switches .....................................1373

Chapter 71
Configuring CoS
1391
Configuring CoS (J-Web Procedure) ...........................................................1391

Defining CoS Code-Point Aliases (J-Web Procedure) ..................................1392
Defining CoS Code-Point Aliases (CLI Procedure) ......................................1394
Defining CoS Classifiers (CLI Procedure) ....................................................1394
Defining CoS Classifiers (J-Web Procedure) ...............................................1396
Defining CoS Forwarding Classes (CLI Procedure) .....................................1398
Defining CoS Forwarding Classes (J-Web Procedure) .................................1398
Defining CoS Schedulers (CLI Procedure) ..................................................1400
Defining CoS Schedulers (J-Web Procedure) ..............................................1401
Configuring CoS Tail Drop Profiles (CLI Procedure) ...................................1403
Defining CoS Rewrite Rules (CLI Procedure) ..............................................1404
Defining CoS Rewrite Rules (J-Web Procedure) ..........................................1405
Assigning CoS Components to Interfaces (CLI Procedure) .........................1407
Assigning CoS Components to Interfaces (J-Web Procedure) .....................1407
Configuring JUNOS EZQoS for CoS (CLI Procedure) ...................................1409
Chapter 72
Verifying CoS
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring
Chapter 73
1411
CoS Classifiers .........................................................................1411

CoS Forwarding Classes ..........................................................1412
Interfaces That Have CoS Components ...................................1413
CoS Rewrite Rules ...................................................................1414
CoS Scheduler Maps ................................................................1415
CoS Value Aliases ....................................................................1417
Configuration Statements for CoS
1419
[edit class-of-service] Configuration Statement Hierarchy ..........................1419

broadcast ..................................................................................................1421
buffer-size .................................................................................................1422
class ..........................................................................................................1423
class-of-service ..........................................................................................1424
classifiers ..................................................................................................1426
code-point-aliases ......................................................................................1427
code-points ................................................................................................1427
Table of Contents
xxxv
drop-profile-map .......................................................................................1428
dscp ..........................................................................................................1429
ethernet ....................................................................................................1430
family ........................................................................................................1430
forwarding-class ........................................................................................1431
ieee-802.1 .................................................................................................1432
import .......................................................................................................1433
inet ............................................................................................................1434
inet-precedence .........................................................................................1435
interfaces ..................................................................................................1436
loss-priority ...............................................................................................1437
multi-destination .......................................................................................1438
priority ......................................................................................................1439
protocol .....................................................................................................1439
rewrite-rules ..............................................................................................1440
scheduler-map ...........................................................................................1441
scheduler-maps .........................................................................................1442
schedulers .................................................................................................1443
shaping-rate ..............................................................................................1444
transmit-rate .............................................................................................1445
unit ...........................................................................................................1446
Chapter 74
Operational Mode Commands for CoS
1447
show class-of-service .................................................................................1448

show pfe statistics traffic ...........................................................................1452
show pfe statistics traffic cpu ....................................................................1455
show pfe statistics traffic egress-queues ....................................................1459
show pfe statistics traffic multicast ............................................................1461
Part 15
PoE
Chapter 75
Understanding PoE
1467
PoE and EX Series Switches Overview ......................................................1467

PoE and Power Supply Units in EX Series Switches ............................1467
Power Management Mode ..................................................................1468
Classes of Powered Devices ................................................................1468
Global and Specific PoE Parameters ....................................................1469
Chapter 76
Examples of Configuring PoE
1471
Example: Configuring PoE Interfaces on an EX Series Switch ....................1471

Example: Configuring PoE Interfaces with Different Priorities on an EX Series
Switch .................................................................................................1474
xxxvi
Table of Contents
Table of Contents
Chapter 77
Configuring PoE
1479
Configuring PoE (CLI Procedure) ...............................................................1479

Configuring PoE (J-Web Procedure) ...........................................................1481
Chapter 78
Verifying PoE
1483
Monitoring PoE .........................................................................................1483

Verifying Status of PoE Interfaces on an EX Series Switch .........................1484
Chapter 79
Configuration Statements for PoE
1485
[edit poe] Configuration Statement Hierarchy ...........................................1485

disable .......................................................................................................1486
duration ....................................................................................................1487
guard-band ................................................................................................1488
interface ....................................................................................................1489
interval ......................................................................................................1490
management .............................................................................................1491
maximum-power .......................................................................................1492
priority ......................................................................................................1493
telemetries ................................................................................................1494
Chapter 80
Operational Mode Commands for PoE
1495
show poe controller ...................................................................................1496

show poe interface ....................................................................................1497
show poe telemetries interface ..................................................................1499
Part 16
MPLS
Chapter 81
Understanding JUNOS MPLS
1503
JUNOS MPLS for EX Series Switches Overview ..........................................1503

Benefits of MPLS .................................................................................1503
Additional Benefits of MPLS and Traffic Engineering ..........................1504
MPLS Label Switched Paths and MPLS Labels on EX Series Switches ...1504
MPLS Label Operations on EX Series Switches ....................................1505
Understanding JUNOS MPLS Components for EX Series Switches .............1506
Provider Edge Switches .......................................................................1507
MPLS Protocol and Label Switched Paths .....................................1507
Circuit Cross-Connect ...................................................................1507
Provider Switch ...................................................................................1508
Table of Contents
xxxvii
Components Required for All Switches in the MPLS Network .............1508

OSPF or IS-IS as a Routing Protocol ..............................................1508
Traffic Engineering .......................................................................1508
MPLS Protocol ..............................................................................1509
RSVP ............................................................................................1509
Family MPLS .......................................................................................1509
Understanding MPLS and Path Protection on EX Series Switches ..............1510
Chapter 82
Example of JUNOS MPLS Configuration
1511
Example: Configuring MPLS on EX Series Switches ...................................1511

Chapter 83
Configuring JUNOS MPLS
1527
Configuring Path Protection in an MPLS Network (CLI Procedure) .............1527

Configuring the Primary Path .............................................................1528
Configuring the Secondary Path ..........................................................1528
Configuring the Revert Timer ..............................................................1529
Configuring MPLS on Provider Edge Switches (CLI Procedure) ..................1530
Enabling the OSPF or the IS-IS Routing Protocol on the Loopback and
Core Interfaces .............................................................................1531
Enabling Traffic Engineering for the Routing Protocol .........................1531
Configuring IP Addresses for the Loopback and Core Interfaces .........1531
Enabling MPLS, Defining the Label Switched Path, and Applying MPLS
to the Core Interfaces ...................................................................1532
Enabling RSVP and Applying It to the Loopback and Core Interfaces ...1532
Enabling Family MPLS on the Core Interfaces .....................................1533
Configuring a Circuit Cross-Connect on a Customer Edge Interface ....1533
Configuring MPLS on Provider Switches (CLI Procedure) ...........................1535
Enabling the OSPF or the IS-IS Routing Protocol on the Loopback and
Core Interfaces .............................................................................1536
Enabling Traffic Engineering for the Routing Protocol .........................1536
Enabling MPLS and Applying MPLS to the Core Interfaces ..................1536
Enabling RSVP and Applying It to the Loopback and Core Interfaces ...1537
Configuring IP Addresses for the Loopback and Core Interfaces .........1537
Enabling Family MPLS on the Core Interfaces .....................................1537
Chapter 84
Verifying MPLS
1539
Verifying That MPLS Is Working Correctly .................................................1539

Verifying the Physical Layer on the Switches ......................................1539
Verifying the Routing Protocol ............................................................1540
Verifying the Core Interfaces Being Used for the MPLS Traffic ............1540
Verifying RSVP ....................................................................................1540
Verifying the Assignment of Interfaces for MPLS Label Operations .....1541
Verifying the Status of the CCC ...........................................................1541
xxxviii
Table of Contents
Table of Contents
Chapter 85
Configuration Statements for MPLS
1543
[edit protocols] Configuration Statement Hierarchy ...................................1543

connections ...............................................................................................1549
family ccc ..................................................................................................1549
family mpls ...............................................................................................1550
interface ....................................................................................................1550
label-switched-path ...................................................................................1551
mpls ..........................................................................................................1552
path ...........................................................................................................1553
primary .....................................................................................................1554
remote-interface-switch .............................................................................1555
revert-timer ...............................................................................................1556
rsvp ...........................................................................................................1556
secondary ..................................................................................................1557
standby .....................................................................................................1557
traffic-engineering .....................................................................................1558
Chapter 86
Operational Mode Commands for MPLS
1559
show connections ......................................................................................1560

show route forwarding-table ......................................................................1564
show mpls interface ..................................................................................1571
show rsvp session .....................................................................................1572
Part 17
Network Management and Monitoring
Chapter 87
Understanding Network Monitoring
1579
Understanding Real-Time Performance Monitoring on EX Series

Switches .............................................................................................1579
RPM Packet Collection ........................................................................1580
Tests and Probe Types ........................................................................1580
Hardware Timestamps ........................................................................1580
Limitations of RPM .............................................................................1582
Chapter 88
Configuring Network Monitoring
1583
Configuring Real-Time Performance Monitoring (J-Web Procedure) ..........1583

Chapter 89
Verifying Network Monitoring
1593
Viewing Real-Time Performance Monitoring Information ..........................1593
Table of Contents
xxxix
Chapter 90
Understanding Port Mirroring
1595
Port Mirroring on EX Series Switches Overview ........................................1595

Port Mirroring Overview .....................................................................1595
Limitations of Port Mirroring ........................................................1596
Port Mirroring Terminology ................................................................1597
Chapter 91
Examples of Configuring Port Mirroring
1599
Example: Configuring Port Mirroring for Local Monitoring of Employee

Resource Use on EX Series Switches ...................................................1599
Example: Configuring Port Mirroring for Remote Monitoring of Employee
Resource Use on EX Series Switches ...................................................1605
Chapter 92
Configuring Port Mirroring
1613
Configuring Port Mirroring to Analyze Traffic (CLI Procedure) ...................1613

Configuring Port Mirroring for Local Traffic Analysis ...........................1613
Configuring Port Mirroring for Remote Traffic Analysis .......................1614
Filtering the Traffic Entering a Port Mirroring Analyzer .......................1615
Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) ...............1617
Chapter 93
Configuration Statements for Port Mirroring
1619
[edit ethernet-switching-options] Configuration Statement Hierarchy ........1619

analyzer ....................................................................................................1622
egress ........................................................................................................1623
ethernet-switching-options ........................................................................1624
ingress .......................................................................................................1627
input .........................................................................................................1628
interface ....................................................................................................1629
loss-priority ...............................................................................................1630
output .......................................................................................................1631
ratio ..........................................................................................................1632
vlan ...........................................................................................................1632
Chapter 94
Operational Mode Commands for Port Mirroring
1633
show analyzer ...........................................................................................1634

Chapter 95
Understanding sFlow Technology
1635
Understanding How to Use sFlow Technology for Network Monitoring on an

EX Series Switch .................................................................................1635
xl
Table of Contents
Table of Contents
Chapter 96
Example of sFlow Technology Configuration
1637
Example: Monitoring Network Traffic Using sFlow Technology on EX Series

Switches .............................................................................................1637
Chapter 97
Configuring sFlow Technology
1643
Configuring sFlow Technology for Network Monitoring (CLI Procedure) ....1643

Chapter 98
Configuration Statements for sFlow Technology
1645
[edit protocols] Configuration Statement Hierarchy ...................................1645

collector ....................................................................................................1651
disable .......................................................................................................1651
interfaces ..................................................................................................1652
polling-interval ..........................................................................................1653
sample-rate ...............................................................................................1654
sflow .........................................................................................................1655
udp-port ....................................................................................................1656
Chapter 99
Operational Mode Commands for sFlow Technology
1657
show sflow ................................................................................................1658

show sflow collector ..................................................................................1659
show sflow interface .................................................................................1660
Chapter 100
Understanding Ethernet OAM Link Fault Management
1661
Understanding Ethernet OAM Link Fault Management for an EX Series

Switch .................................................................................................1661
Chapter 101
Example of Ethernet OAM Link Fault Management Configuration
1663
Example: Configuring Ethernet OAM Link Fault Management on EX Series

Switches .............................................................................................1663
Chapter 102
Configuring Ethernet OAM Link Fault Management
1667
Configuring Ethernet OAM Link Fault Management (CLI Procedure) .........1667
Table of Contents
xli
Chapter 103
Configuration Statements for Ethernet OAM Link Fault

Management
1671
action ........................................................................................................1671
action-profile .............................................................................................1672
allow-remote-loopback ..............................................................................1673
ethernet ....................................................................................................1674
event .........................................................................................................1675
event-thresholds ........................................................................................1675
frame-error ................................................................................................1676
frame-period .............................................................................................1676
frame-period-summary .............................................................................1677
interface ....................................................................................................1678
link-adjacency-loss ....................................................................................1679
link-discovery ............................................................................................1680
link-down ..................................................................................................1680
link-event-rate ...........................................................................................1681
link-fault-management ..............................................................................1682
negotiation-options ...................................................................................1683
no-allow-link-events ..................................................................................1683
oam ...........................................................................................................1684
pdu-interval ...............................................................................................1685
pdu-threshold ............................................................................................1686
remote-loopback .......................................................................................1686
symbol-period ...........................................................................................1687
syslog ........................................................................................................1687
Chapter 104
Operational Mode Commands for Ethernet OAM Link Fault

Management
1689
show oam ethernet link-fault-management ...............................................1690

Chapter 105
Configuration Statements for Network Management
1695
[edit snmp] Configuration Statement Hierarchy ........................................1695

bucket-size ................................................................................................1696
history .......................................................................................................1697
interface ....................................................................................................1698
owner ........................................................................................................1698
rmon .........................................................................................................1699
xlii
Table of Contents
List of Figures
Part 1

Chapter 1
Part 4
Product Overview
3
Figure 1: Basic VRRP on EX Series Switches ..................................................18
Figure 2: VRRP on EX 4200 Virtual Chassis Switches ....................................19
Figure 3: EX8208 Switch ...............................................................................29
Figure 4: EX8216 Switch Front ......................................................................32
Figure 5: EX8216 Switch Rear .......................................................................33

Chapter 5
Part 5
79
Figure 6: LCD Panel in EX Series Switches ....................................................81
System Basics
Chapter 11
Chapter 12
Part 6

139
Figure 7: EX Series Switch LCD Panel ..........................................................155
165
Figure 8: Connecting to the Console Port on the EX Series Switch ..............165
Virtual Chassis
Chapter 14
Chapter 15

177
Figure 9: Console Session Redirection .........................................................186
Figure 10: Management Ethernet Port Redirection to VME ..........................187
Figure 11: Normal Traffic Flow in a Ring Topology Using Dedicated
VCPs .....................................................................................................193
Figure 12: Traffic Redirected by Fast Failover After Dedicated VCP Link
Failure ..................................................................................................194
Figure 13: Normal Traffic Flow in a Ring Topology Using SFP Uplink Module
VCPs .....................................................................................................195
Figure 14: Traffic Redirected by Fast Failover After SFP Uplink Module VCP
Link Failure ...........................................................................................196
Figure 15: Traffic Redirected by Fast Failover After VCP Link Failures in a
Topology with Multiple Rings ................................................................197
203
Figure 16: Basic Virtual Chassis with Master and Backup ............................205
Figure 17: Expanded Virtual Chassis in Single Wiring Closet .......................210
Figure 18: Default Configuration of Multimember Virtual Chassis in a Single
Wiring Closet ........................................................................................215
List of Figures
xliii
Figure 19: Virtual Chassis Interconnected Across Wiring Closets .................222

Figure 20: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................229
Figure 21: Maximum Size Virtual Chassis Interconnected Across Wiring
Closets ..................................................................................................244
Figure 22: Traffic Redirected by Fast Failover After VCP Link Failures in a
Topology with Multiple Rings ................................................................252
Figure 23: Virtual Chassis Interconnected Across Wiring Closets to Form
LAGs .....................................................................................................258
Part 7
Interfaces
Chapter 21
Chapter 22
Part 8

Chapter 28
Chapter 29
Chapter 34
Part 9
Part 10

767
Figure 38: Topology for IP Directed Broadcast ............................................768

Chapter 43
Chapter 44
Understanding Layer 2 Bridging, VLANs, and GVRP

467
Figure 27: Redundant Trunk Group, Link 1 Active .......................................474
Figure 28: Redundant Trunk Group, Link 2 Active .......................................475
483
Figure 29: Topology for Configuration .........................................................499
Figure 30: GVRP Configured on Two Access Switches and One Distribution
Switch for Automatic VLAN Administration ..........................................510
Figure 31: Topology for Configuring the Redundant Trunk Links .................525
579
Figure 32: Network Topology for RSTP ........................................................580
Figure 33: Network Topology for MSTP .......................................................595
Figure 34: BPDU Protection Topology .........................................................616
Figure 35: BPDU Protection Topology .........................................................621
Figure 36: Network Topology for Loop Protection .......................................625
Figure 37: Network Topology for Root Protection ........................................630
Layer 3 Protocols
Chapter 40
xliv
339
Figure 24: Symmetrically Routed Interfaces ................................................348
Figure 25: Asymmetrically Routed Interfaces ..............................................350
351
Figure 26: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................353
List of Figures

795
Figure 39: IGMP Traffic Flow with IGMP Snooping Enabled .........................796
Figure 40: IGMP Traffic Flow with Routed VLAN Interfaces .........................798
803
List of Figures
Figure 41: MVR Topology in Transparent Mode ...........................................808

Figure 42: MVR Topology in Proxy Mode ....................................................809
Part 11
Access Control
Chapter 49
Chapter 50
Part 12
802.1X and MAC RADIUS Authentication Overview

865
Figure 43: Example 802.1X Topology .........................................................869
Figure 44: Authentication Process ...............................................................871
Figure 45: VoIP Multiple Supplicant Topology .............................................880
Figure 46: VoIP Single Supplicant Topology .................................................881
883
Figure 49: Topology for Guest VLAN Example .............................................894
Figure 50: Topology for Static MAC Authentication Configuration ...............899
Figure 51: Topology for MAC RADIUS Authentication Configuration ...........904
Figure 52: Topology for Configuring Supplicant Modes ................................909
Figure 53: Topology for Firewall Filter and RADIUS Server Attributes
Configuration ........................................................................................915
Figure 54: VoIP Topology ............................................................................921
Figure 55: Conceptual Model: Dynamic Filter Updated for Each New
User ......................................................................................................937
Figure 56: Multiple Supplicants on an 802.1X-Enabled Interface Connecting
to a File Server ......................................................................................938
Port Security
Chapter 55
Chapter 56

1063
Figure 57: DHCP Snooping ........................................................................1069
Figure 58: DHCP Server Connected Directly to Switch ..............................1070
Figure 59: DHCP Server Connected Directly to Switch 2, with Switch 2
Connected to Switch 1 Through a Trusted Trunk Port .........................1071
Figure 60: Switch Is the DHCP Server ........................................................1072
Figure 61: Switch Acting as Relay Agent Through Router to DHCP Server ...1073
Figure 62: DHCP Clients, Switch, and DHCP Server Are All on Same
VLAN ..................................................................................................1080
Figure 63: Switch Relays DHCP Requests to Server ...................................1081
1087
Figure 64: Network Topology for Basic Port Security .................................1089
Figure 70: Network Topology for Port Security Setup with Two Switches on
the Same VLAN ...................................................................................1114
Figure 71: Network Topology for Configuring DHCP Option 82 on a Switch
That Is on the Same VLAN as the DHCP Clients and the DHCP
Server .................................................................................................1140
List of Figures
xlv
Part 13

Chapter 62
Chapter 63
Part 14
CoS
Chapter 69
Chapter 70
Part 16
Chapter 82
Part 17

1503
Figure 78: MPLS Label Swapping ...............................................................1506
1511
Figure 79: Configuring MPLS on EX Series Switches ..................................1512

Chapter 87
Chapter 91
Chapter 96
Understanding CoS
1351
Figure 76: Packet Flow Across the Network ...............................................1353
1373
Figure 77: Topology for Configuring CoS ...................................................1374
MPLS
Chapter 81
xlvi

1249
Figure 72: Firewall Filter Processing Points in the Packet Forwarding
Path ....................................................................................................1254
Figure 73: Application of Firewall Filters to Control Packet Flow ...............1256
Figure 74: Evaluation of Terms Within a Firewall Filter .............................1268
1275
Figure 75: Application of Port, VLAN, and Layer 3 Routed Firewall Filters ...1277
List of Figures

1579
Figure 80: RPM Timestamps .....................................................................1581
1599
Figure 81: Network Topology for Local Port Mirroring Example ................1600
Figure 82: Remote Port Mirroring Example Network Topology .................1606
Example of sFlow Technology Configuration
1637
Figure 83: sFlow Technology Monitoring System ......................................1638
List of Tables
Part 1

Chapter 1
Part 3
Product Overview
3
Table 1: Summary of Software Features Available on EX Series Switches .......3
Table 2: Supported JUNOS Layer 3 Protocol Statements and Features ...........12
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not
Supported ...............................................................................................13
Table 4: JUNOS Software Processes ...............................................................23
Table 5: EX3200 Switch Models ....................................................................26
Table 6: EX4200 Switch Models ....................................................................27

Chapter 4
Part 4

61
Table 7: J-Web Interface ................................................................................62
Table 8: J-Web Edit Point & Click Configuration Links ...................................64
Table 9: J-Web Edit Point & Click Configuration Icons ...................................64
Table 10: J-Web Edit Point & Click Configuration Buttons .............................65
Table 11: Switching Platform Configuration Interfaces ..................................67
Table 12: System Information Panel .............................................................69
Table 13: Health Status ..................................................................................69
Table 14: Capacity Utilization ........................................................................70
Table 15: Chassis Viewer for EX3200 and EX4200 Switches .........................72
Table 16: Chassis Viewer for EX8208 Switches .............................................73
Table 17: Chassis Viewer for EX8216 Switches .............................................74

Chapter 6
Chapter 7
Part 5
85
Table 18: Install Remote Summary ...............................................................95
Table 19: Upload Package Summary .............................................................96
103
Table 20: Configuration File Terms .............................................................104
Table 21: J-Web Configuration History Summary ........................................107
Table 22: J-Web Configuration Database Information Summary .................108
Table 23: Options for the load command ....................................................110
System Basics
Chapter 9

131
Table 24: Alarm Terms ................................................................................131
List of Tables
xlvii
Chapter 10
Chapter 11
Chapter 13
Part 6
Virtual Chassis
Chapter 15
Chapter 16
Chapter 17
Chapter 20
Part 7

203
Table 39: Components of the Basic Virtual Chassis Access Switch
Topology ...............................................................................................205
Table 40: Components of the Expanded Virtual Chassis Access Switch .......210
Table 41: Components of a Virtual Chassis Interconnected Across Multiple
Wiring Closets .......................................................................................222
Table 42: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................229
Table 43: Components of a Preprovisioned Virtual Chassis Interconnected
Across Multiple Wiring Closets ..............................................................242
265
Table 44: Virtual Chassis Configuration Fields .............................................269
285
Table 45: Commands That Can be Run on All or Specific Members of the
Virtual Chassis Configuration ................................................................286
Table 46: Commands Relevant Only to the Master ......................................288
Operational Mode Commands for Virtual Chassis
311
Table 47: show system uptime Output Fields ..............................................318
Table 48: show virtual-chassis active-topology Output Fields .......................320
Table 49: show virtual-chassis fast-failover Output Fields ............................322
Table 50: show virtual-chassis Output Fields ...............................................323
Table 51: show virtual-chassis vc-path Output Fields ...................................325
Table 52: show virtual-chassis vc-port Output Fields ...................................327
Table 53: show virtual-chassis vc-port statistics Output Fields .....................331
Interfaces
Chapter 22
xlviii

133
Table 25: Secure Management Access Configuration Summary ..................134
Table 26: Date and Time Settings ................................................................136
139
Table 27: J-Web Ping Host Field Summary ..................................................140
Table 28: Packet Capture Field Summary ....................................................141
Table 29: Traceroute field summary ............................................................144
Table 30: Summary of Key System Properties Output Fields .......................145
Table 31: Summary of System Process Information Output Fields ..............147
Table 32: User Management > Add a User Configuration Page
Summary ..............................................................................................149
Table 33: Add an Authentication Server ......................................................150
Table 34: Summary of Key Alarm Output Fields .........................................157
Table 35: Chassis Alarms for EX8200 Switches ...........................................158
Table 36: Filtering System Log Messages .....................................................161
Table 37: Viewing System Log Messages .....................................................162
Operational Mode Commands for Basic System Functions
169
Table 38: show smp rmon history Output Fields .........................................171
List of Tables
351
List of Tables
Chapter 23
Chapter 25
Chapter 27
Part 8
Table 54: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................353
Table 55: Components of the Topology for Creating Layer 3 Subinterfaces
on an Access Switch and a Distribution Switch .....................................364
377
Table 56: Port Edit Options .........................................................................378
Table 57: Recommended CoS Settings for Port Roles ..................................382
Table 58: Aggregated Ethernet Interface Options ........................................388
Table 59: VLAN Options ..............................................................................389
403
Table 60: Port Role Configuration Summary ...............................................405
Table 61: Recommended CoS Settings for Port Roles ..................................408
Operational Mode Commands for Interfaces
441
Table 62: show interfaces ge- Output Fields ................................................442
Table 63: show interfaces xe- Output Fields ................................................454

Chapter 29
Chapter 30
Chapter 31
Chapter 34
Chapter 35

483
Table 64: Components of the Basic Bridging Configuration Topology ..........484
Table 65: Components of the Multiple VLAN Topology ................................491
Table 66: Components of the Topology for Connecting an Access Switch to
a Distribution Switch .............................................................................499
Table 67: Components of the Network Topology .........................................510
Table 68: Components of the Redundant Trunk Link Topology ...................525
Table 69: Components of the Topology for Setting Up Q-in-Q Tunneling .....531
Table 70: Components of the Topology for Configuring a Private VLAN ......533
Configuring Layer 2 Bridging, VLANs, and GVRP
543
Table 71: VLAN Configuration Details ..........................................................544
Table 72: GVRP Timer Settings ....................................................................556
Table 73: RTG Configuration Fields .............................................................557
Verifying Layer 2 Bridging, VLANs, and GVRP
559
Table 74: Ethernet Switching Output Fields .................................................566
Table 75: Summary of GVRP Output Fields .................................................567
579
Table 76: Components of the Topology for Configuring RSTP on EX Series
Switches ...............................................................................................581
Table 77: Components of the Topology for Configuring MSTP on EX Series
Switches ...............................................................................................595
Table 78: Components of the Topology for Configuring BPDU Protection on
EX Series Switches ................................................................................616
Table 79: Components of the Topology for Configuring BPDU Protection on
Table 80: Components of the Topology for Configuring Loop Protection on
Table 81: Components of the Topology for Configuring Root Protection on
635
List of Tables
xlix
Chapter 36
Chapter 38
Part 9
Layer 3 Protocols
Chapter 40
Chapter 41
Chapter 42
Part 10
Chapter 44
Chapter 45
Chapter 46
Chapter 48

767
Table 97: Components of the IP Directed Broadcast Topology ....................768
771
Table 98: BGP Routing Configuration Summary ..........................................771
Table 99: DHCP Server Configuration Pages Summary ...............................773
Table 100: OSPF Routing Configuration Summary ......................................775
Table 101: RIP Routing Configuration Summary .........................................776
Table 102: SNMP Configuration Page ..........................................................777
Table 103: Static Routing Configuration Summary ......................................781
783
Table 104: Summary of Key BGP Routing Output Fields .............................783
Table 105: Summary of DHCP Output Fields ...............................................785
Table 106: Summary of Key OSPF Routing Output Fields ...........................787
Table 107: Summary of Key RIP Routing Output Fields ..............................789
Table 108: Summary of Key Routing Information Output Fields .................790

Chapter 43
Table 82: Spanning-Tree Protocol Configuration Parameters .......................636

641
Table 83: Summary of Spanning-Tree Protocols Output Fields ....................641
Operational Mode Commands for Bridging, VLANs, and Spanning Trees
717
Table 84: show ethernet-switching interfaces Output Fields ........................721
Table 85: show ethernet-switching mac-learning-log Output Fields .............724
Table 86: show ethernet-switching statistics aging Output Fields ................726
Table 87: show ethernet-switching statistics mac-learning Output Fields .....728
Table 88: show ethernet-switching table Output Fields ................................731
Table 89: show gvrp Output Fields ..............................................................737
Table 90: show gvrp statistics Output Fields ................................................739
Table 91: show redundant-trunk-group Output Fields ..................................741
Table 92: show spanning-tree bridge Output Fields .....................................742
Table 93: show spanning-tree interface Output Fields .................................747
Table 94: show spanning-tree mstp configuration Output Fields .................750
Table 95: show spanning-tree statistics Output Fields .................................751
Table 96: show vlans Output Fields .............................................................753
List of Tables

795
Table 109: Bridge Multicast IDs and Next Hops ...........................................798
803
Table 110: Components of the IGMP Snooping Topology ............................804
813
Table 111: IGMP Snooping Configuration Fields ..........................................815
821
Table 112: Summary of IGMP Snooping Output Fields ................................821
Operational Mode Commands for IGMP Snooping and Multicast
851
Table 113: show igmp-snooping membership Output Fields .......................854
List of Tables
Table 114: show igmp-snooping route Output Fields ...................................857

Table 115: show igmp-snooping statistics Output Fields ..............................859
Table 116: show igmp-snooping vlans Output Fields ...................................860
Part 11
Access Control
Chapter 50
Chapter 51
Chapter 54
Part 12

883
Table 117: Components of the Topology .....................................................886
Table 118: Components of the Topology .....................................................890
Table 119: Components of the Guest VLAN Topology .................................895
Table 120: Components of the Static MAC Authentication Configuration
Topology ...............................................................................................900
Table 121: Components of the MAC RADIUS Authentication Configuration
Topology ...............................................................................................904
Table 122: Components of the Supplicant Mode Configuration Topology ....910
Table 123: Components of the Firewall Filter and RADIUS Server Attributes
Topology ...............................................................................................915
Table 124: Components of the VoIP Configuration Topology ......................921
941
Table 125: RADIUS Server Settings .............................................................945
Table 126: 802.1X Exclusion List ................................................................945
Table 127: 802.1X Port Settings ..................................................................946
Table 128: Global Settings ...........................................................................958
Table 129: Edit Port Settings .......................................................................958
Table 130: Match Conditions .......................................................................961
Table 131: Actions for VSAs ........................................................................962
1031
Table 132: show dot1x Output Fields ........................................................1035
Table 133: show dot1x static-mac-address Output Fields ..........................1040
Table 134: show dot1x static-mac-address Output Fields ..........................1041
Table 135: show ethernet-switching interfaces Output Fields ....................1043
Table 136: show lldp Output Fields ...........................................................1046
Table 137: show lldp local-info Output Fields ............................................1051
Table 138: show lldp neighbors Output Fields ...........................................1053
Table 139: show lldp statistics Output Fields .............................................1056
Table 140: show network-access aaa statistics accounting Output Fields ...1058
Table 141: show network-access aaa statistics authentication Output
Fields ..................................................................................................1059
Table 142: show network-access aaa statistics dynamic-requests Output
Fields ..................................................................................................1060
Port Security
Chapter 56

1087
Table 143: Components of the Port Security Topology ..............................1089
List of Tables
li
Chapter 57
Chapter 61
Part 13

Chapter 62
Chapter 63
Chapter 64
Chapter 67
Chapter 68
Part 14
Chapter 70

1249
Table 157: Supported Match Conditions for Firewall Filters on EX Series
Switches .............................................................................................1257
Table 158: Actions for Firewall Filters .......................................................1265
Table 159: Action Modifiers for Firewall Filters .........................................1266
Table 160: Actions for Firewall Filters .......................................................1272
1275
Table 161: Configuration Components: Firewall Filters .............................1276
Table 162: Configuration Components: VLANs ..........................................1277
Table 163: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch .................................................................................................1278
1301
Table 164: Create a New Filter ..................................................................1307
Table 165: Create a New Term ..................................................................1308
Table 166: Advanced Options for Terms ...................................................1309
Configuration Statements for Firewall Filters
1323
Table 167: Supported Options for Firewall Filter Statements .....................1324
Table 168: Firewall Filter Statements That Are Not Supported by JUNOS
Software for EX Series Switches ..........................................................1326
Operational Mode Commands for Firewall Filters
1337
Table 169: show firewall Output Fields ......................................................1339
Table 170: show interfaces filters Output Fields ........................................1342
Table 171: show interfaces policers Output Fields .....................................1344
Table 172: show policer Output Fields ......................................................1346
CoS
Chapter 69
lii
Table 149: Components of Port Security Setup on Switch 1 with a DHCP

Server Connected to Switch 2 .............................................................1114
Table 150: Components of the Unrestricted Proxy ARP Switch .................1144
1149
Table 151: Port Security Settings on VLANs ...............................................1152
Table 152: Port Security on Interfaces .......................................................1153
Operational Mode Commands for Port Security
1233
Table 153: show arp inspection statistics Output Fields .............................1236
Table 154: show dhcp snooping binding Output Fields .............................1237
Table 155: show ethernet-switching table Output Fields ............................1238
Table 156: show ip-source-guard Output Fields .........................................1244
List of Tables
Understanding CoS
1351
Table 173: Default Code-Point Aliases .......................................................1356
Table 174: Default BA Classification ..........................................................1360
Table 175: Default Forwarding Classes for Unicast Packets .......................1362
Table 176: Default Forwarding Classes for Multicast Packets .....................1362
Table 177: Default Packet Header Rewrite Mappings ................................1369
1373
List of Tables
Chapter 71
Chapter 72
Chapter 74
Part 15
Table 178: Configuration Components: VLANs ..........................................1375

Table 179: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch .................................................................................................1375
Configuring CoS
1391
Table 180: CoS Value Aliases Configuration Pages Summary ....................1392
Table 181: BA-classifier Loss Priority Assignments ....................................1395
Table 182: Classifiers Configuration Page Summary ..................................1396
Table 183: Forwarding Classes Configuration Pages Summary ..................1398
Table 184: Schedulers Configuration Page Summary ................................1401
Table 185: Scheduler Maps Configuration Page Summary .........................1403
Table 186: Rewrite Rules Configuration Page Summary ............................1405
Table 187: Assigning CoS Components to Interfaces .................................1408
Verifying CoS
1411
Table 188: Summary of Key CoS Classifier Output Fields ..........................1411
Table 189: Summary of Key CoS Forwarding Class Output Fields .............1413
Table 190: Summary of Key CoS Interfaces Output Fields .........................1413
Table 191: Summary of Key CoS Rewrite Rules Output Fields ...................1414
Table 192: Summary of Key CoS Scheduler Maps Output Fields ...............1415
Table 193: Summary of Key CoS Value Alias Output Fields .......................1417
1447
Table 194: show class-of-service Output Fields ..........................................1448
Table 195: show pfe statistics traffic Output Fields ....................................1452
Table 196: show pfe statistics traffic cpu Output Fields .............................1455
Table 197: show pfe statistics traffic egress-queues Output Fields .............1459
Table 198: show pfe statistics traffic multicast Output Fields ....................1461
PoE
Chapter 75
Chapter 76
Chapter 77
Chapter 80
Part 16
Understanding PoE
1467
Table 199: Class of Powered Device and Power Levels ..............................1468
1471
Table 200: Components of the PoE Configuration Topology ......................1472
Table 201: Components of the PoE Configuration Topology ......................1475
Configuring PoE
1479
Table 202: PoE Edit Settings ......................................................................1481
Table 203: System Settings .......................................................................1481
1495
Table 204: show poe controller Output Fields ...........................................1496
Table 205: show poe interface Output Fields .............................................1497
Table 206: show poe telemetries interface Output Fields ..........................1499
MPLS
Chapter 82

1511
Table 207: Components of the Ingress PE Switch in Topology for MPLS with
Interface-Based CCC ...........................................................................1513
Table 208: Components of the Egress PE Switch in Topology for MPLS with
List of Tables
liii
Chapter 86
Part 17

Chapter 88
Chapter 90
Chapter 92
Chapter 94
Chapter 99
Chapter 104
liv
Table 209: Components of the Provider Switch in Topology for MPLS with
1559
Table 210: show connections Output Fields ..............................................1561
Table 211: show route forwarding-table Output Fields ..............................1565
Table 212: show mpls interface Output Fields ...........................................1571
Table 213: show rsvp session Output Fields ..............................................1573
List of Tables

1583
Table 214: RPM Probe Owner, Concurrent Probes, and Probe Servers
Configuration Fields ............................................................................1585
Table 215: Performance Probe Tests Configuration Fields .........................1585
1595
Table 216: Port Mirroring Terminology .....................................................1597
1613
Table 217: Port Mirroring Configuration Settings .......................................1617
Operational Mode Commands for Port Mirroring
1633
Table 218: command-name Output Fields ................................................1634
Operational Mode Commands for sFlow Technology
1657
Table 219: show sflow Output Fields .........................................................1658
Table 220: show sflow collector Output Fields ...........................................1659
Table 221: show sflow interface Output Fields ..........................................1660
Operational Mode Commands for Ethernet OAM Link Fault Management 1689
Table 222: show oam ethernet link-fault-management Output Fields ........1690
How to Use This Guide on page lv
List of EX Series Guides for JUNOS Release 9.6 on page lv
Downloading Software on page lvii
Documentation Symbols Key on page lvii
Documentation Feedback on page lix
Requesting Technical Support on page lix
How to Use This Guide

Complete documentation for the EX Series product family is provided on web pages
at http://www.juniper.net/techpubs/en_US/release-independent/
information-products/pathway-pages/ex-series/product/index.html. We have selected content
from these web pages and created a number of EX Series guides that collect related
topics into a book-like format so that the information is easy to print and easy to
download to your local computer.
This guide, Complete Software Guide for JUNOS Software for EX Series Switches,
Release 9.6, collects together the software feature descriptions, configuration examples,
tasks, and reference pages for configuration statements and operational commands
for the JUNOS Software for EX Series switches, Release 9.6. The release notes are at
http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/
release-notes/9.6/junos-release-notes-9.6.pdf.
List of EX Series Guides for JUNOS Release 9.6

Title
Description
Complete Hardware Guide for EX3200 and EX4200 Ethernet Switches
Component descriptions, site preparation,

installation, replacement, and safety and compliance
information for EX3200 and EX4200 switches
Complete Hardware Guide for EX8208 Ethernet Switches

information for EX8208 switches
Complete Hardware Guide for EX8216 Ethernet Switches

information for EX8216 switches
How to Use This Guide
lv
Title
Description
Complete Software Guide for JUNOS Software for EX Series Ethernet

Switches, Release 9.6
Software feature descriptions, configuration

examples, and tasks for JUNOS Software for EX
Series switches and reference pages for
configuration statements and operational
commands
Software Topic Collections
Software feature descriptions, configuration

examples and tasks, and reference pages for
configuration statements and operational
commands. (This information also appears in the
Complete Software Guide for JUNOS Software for EX
Series Ethernet Switches, Release 9.6.)
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Access
Control
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Alarms
and System Log Messages
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6:
Configuration and File Management
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Class
of Service
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Device
Security
Ethernet Switching
Interfaces
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Layer
3 Protocols
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: MPLS
Multicast
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Port
Security
Routing Policy and Packet Filtering
Spanning-Tree Protocols
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: System
Setup
lvi
List of EX Series Guides for JUNOS Release 9.6
Title
Description
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: User
and Access Management
JUNOS Software Guide for EX Series Ethernet Switches, Release 9.6: Virtual
Systems
J-Web User Interface Guide for JUNOS Software for EX Series Ethernet
Switches
How to use the J-Web graphical user interface (GUI)

with JUNOS Software for EX Series switches
Downloading Software
You can download the JUNOS Software for EX Series switches from the Download
Software area at http://www.juniper.net/customers/support/. To download the software,
you must have a Juniper Networks user account. For information about obtaining an
account, see http://www.juniper.net/entitlement/setupAccountInfo.do.
Documentation Symbols Key

Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Text and Syntax Conventions

Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the

configure command:
user@host> configure
Fixed-width text like this
Represents output that appears on the

terminal screen.
user@host> show chassis alarms

No alarms currently active
Downloading Software
lvii

Convention
Description
Italic text like this
Introduces important new terms.
Identifies book names.
Identifies RFC and Internet draft

titles.
Examples
A policy term is a named structure

that defines match conditions and
actions.
JUNOS System Basics Configuration

Guide
RFC 1997, BGP Communities

Attribute
Represents variables (options for which

you substitute a value) in commands or
configuration statements.
Configure the machines domain name:
Represents names of configuration

statements, commands, files, and
directories; IP addresses; configuration
hierarchy levels; or labels on routing
platform components.
To configure a stub area, include

the stub statement at the [edit
protocols ospf area area-id] hierarchy
level.
The console port is labeled

CONSOLE.
< > (angle brackets)
Enclose optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually

exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the

same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Enclose a variable for which you can

substitute one or more values.
community name members [ community-ids

]
Indention and braces ( { } )
Identify a level in the configuration

hierarchy.
; (semicolon)
Identifies a leaf statement at a

configuration hierarchy level.
Italic text like this
Plain text like this
[edit]
root@# set system domain-name
domain-name
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
J-Web GUI Conventions
Bold text like this
lviii
Documentation Symbols Key
Represents J-Web graphical user

interface (GUI) items you click or select.
In the Logical Interfaces box, select

All Interfaces.
To cancel the configuration, click

Cancel.

Convention
Description
Examples
> (bold right angle bracket)
Separates levels in a hierarchy of J-Web

selections.
In the configuration editor hierarchy,

select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. Send e-mail to techpubs-comments@juniper.net with the
following:
Document URL or title
Page number if applicable
Software version
Your name and company
Requesting Technical Support

Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you
can access our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.
JTAC Hours of Operation The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base:

http://kb.juniper.net/
Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/
Documentation Feedback
lix
Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting support.html
lx
Requesting Technical Support
Part 1
JUNOS Software for EX Series Switches

Product Overview
Product Overview on page 3
Chapter 1
Product Overview
Software Overview on page 3
Supported Hardware on page 24
Software Overview
EX Series Switch Software Features Overview on page 3
Layer 3 Protocols Supported on EX Series Switches on page 12
Layer 3 Protocols Not Supported on EX Series Switches on page 13
Security Features for EX Series Switches Overview on page 15
High Availability Features for EX Series Switches Overview on page 17
Understanding Software Infrastructure and Processes on page 22
EX Series Switch Software Features Overview

Table 1 on page 3 lists the Juniper Networks EX Series Ethernet Switch software
features and the Juniper Networks JUNOS Software release in which they were
introduced.
Table 1: Summary of Software Features Available on EX Series Switches
Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Activity Logging and

Monitoring
J-Web event view for system log messages
JUNOS 9.0R2
JUNOS 9.4R1
Real-time performance monitoring (RPM)
JUNOS 9.3R2
Not supported
System logging (syslog) over IPv4
JUNOS 9.0R2
JUNOS 9.4R1
System logging (syslog) over IPv6
JUNOS 9.3R2
Not supported
Traceroute tool in J-Web interface
JUNOS 9.0R2
JUNOS 9.4R1
Software Overview
Table 1: Summary of Software Features Available on EX Series Switches (continued)

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Administration
Automatic software download
JUNOS 9.6R1
Not supported
Configuration rollback
JUNOS 9.0R2
JUNOS 9.4R1
Confirmation of configuration changes
JUNOS 9.0R2
JUNOS 9.4R1
Software upgrades
JUNOS 9.0R2
JUNOS 9.4R1
Support for RADIUS external administrator databases
JUNOS 9.0R2
JUNOS 9.4R1
Supports the following features for automating network

operations and troubleshooting:
JUNOS 9.0R2
JUNOS 9.4R1
802.1Q encapsulation tags
JUNOS 9.0R2
JUNOS 9.4R1
802.1Q filtering and forwarding
JUNOS 9.0R2
JUNOS 9.4R1
Ethernet:
JUNOS 9.0R2
JUNOS 9.4R1
Encapsulation
Commit scripts
Operation scripts
Event policies
Media access control (MAC) encapsulation
802.1p tagging
Chapter 1: Product Overview

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
High Availability and

Resiliency
Graceful protocol restart for IS-IS
JUNOS 9.3R2
JUNOS 9.4R1
Graceful protocol restart for OSPF and BGP
JUNOS 9.0R2
JUNOS 9.4R1
Graceful Routing Engine switchover (GRES) for EX4200

Virtual Chassis configurations
JUNOS 9.1R1
Not applicable
Graceful Routing Engine switchover (GRES) for ARP

entries
JUNOS 9.2R1
JUNOS 9.4R1
Graceful Routing Engine switchover (GRES) for the

forwarding database
JUNOS 9.2R1
JUNOS 9.4R1
Graceful Routing Engine switchover (GRES) for port

security
JUNOS 9.2R1
JUNOS 9.6R1
Link aggregation control protocol (LACP)
JUNOS 9.0R2
JUNOS 9.4R1
Link aggregation groups (LAGs)
JUNOS 9.0R2
JUNOS 9.4R1
Link aggregation groups (LAGs) over Virtual Chassis ports

(VCPs)
JUNOS 9.6R1
Not applicable
Redundant trunk groups
JUNOS 9.0R2
JUNOS 9.4R1
Virtual Chassis
JUNOS 9.3R2
Not applicable
JUNOS 9.5R1
Not applicable
Virtual Chassis support for SFP uplink module ports
JUNOS 9.2R1
Not applicable
Virtual Router Redundancy Protocol (VRRP)
JUNOS 9.0R2
JUNOS 9.4R1
Power over Ethernet (PoE)
JUNOS 9.0R2
Not applicable
VLAN-tagged Layer 3 subinterfaces
JUNOS 9.2R1
JUNOS 9.4R1
IPv4
JUNOS 9.0R2
JUNOS 9.4R1
IPv6 (except multicast protocols)
JUNOS 9.3R2
Not supported
Atomic software upgrade
Fast failover
Split and merge
Virtual Chassis
Interfaces
Internet Protocols
Autoprovisioning of Virtual Chassis ports (VCPs)
A separate software license is required for IPv6. See

Software Licenses for the EX Series Switch Overview
on page 121.

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
IP Address Management
DHCP server and relay with option 82 for Layer 2 VLANs
JUNOS 9.3R2
JUNOS 9.4R1
DHCPv6 and IPv6 DNS
JUNOS 9.3R2
Not supported
Dynamic Host Configuration Protocol (DHCP)
JUNOS 9.0R2
JUNOS 9.4R1
Local DHCP server
JUNOS 9.3R2
JUNOS 9.4R1
Static addresses
JUNOS 9.0R2
JUNOS 9.4R1
BPDU protection for spanning-tree protocols
JUNOS 9.1R1
JUNOS 9.4R1
Extended Q-in-Q VLAN support for multiple S-VLANs per

access interface, firewall-filter-based VLAN assignment,
and routed VLAN interfaces (RVIs)
JUNOS 9.6R1
Not supported
GARP VLAN Registration Protocol (GVRP)
JUNOS 9.1R1
JUNOS 9.4R1
Link Layer Discovery Protocol (LLDP)
JUNOS 9.0R2
JUNOS 9.4R1
Link Layer Discovery Protocol-Media Endpoint Discovery

(LLDP-MED) with voice over IP (VoIP) integration
JUNOS 9.0R2
Not supported
Loop protection for spanning-tree protocols
JUNOS 9.1R1
JUNOS 9.4R1
Private VLANs (PVLANs)
JUNOS 9.3R2
Not supported
Q-in-Q tunneling
JUNOS 9.3R2
Not supported
Root protection for spanning-tree protocols
JUNOS 9.1R1
JUNOS 9.4R1
Routed VLAN interfaces (RVIs)
JUNOS 9.0R2
JUNOS 9.4R1
Spanning tree:
JUNOS 9.0R2
JUNOS 9.4R1
JUNOS 9.4R1
JUNOS 9.6R1
Storm control
JUNOS 9.1R1
JUNOS 9.4R1
Unknown Layer 2 unicast forwarding
JUNOS 9.3R2
Not supported
Virtual routing and forwarding (VRF)virtual routing

instances
JUNOS 9.2R1
JUNOS 9.6R1
VLAN range
JUNOS 9.2R1
JUNOS 9.4R1
Layer 2 Network Protocols
Spanning Tree Protocol (STP)
Rapid Spanning Tree Protocol (RSTP)
Multiple Spanning Tree Protocol (MSTP)
Spanning tree:
VLAN Spanning Tree Protocol (VSTP)

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Layer 3 Protocols
Bidirectional Forwarding Detection (BFD)
JUNOS 9.0R2
JUNOS 9.4R1
Border Gateway Protocol (BGP)
JUNOS 9.0R2
JUNOS 9.4R1
JUNOS 9.0R2
JUNOS 9.4R1
IGMPv1 and IGMPv2
JUNOS 9.1R1
JUNOS 9.4R1
IGMPv3
JUNOS 9.3R2
JUNOS 9.4R1
Internet Group Management Protocol (IGMP)
JUNOS 9.0R2
JUNOS 9.4R1
IPv6 protocols: Open Shortest Path First version 3

(OSPFv3), RIPng, IS-IS for IPv6, IPv6 BGP
JUNOS 9.3R2
Not supported
Jumbo frames on routed VLAN interfaces (RVIs)
JUNOS 9.4R1
JUNOS 9.4R1
Multicast Source Discovery Protocol (MSDP)
JUNOS 9.4R1
JUNOS 9.4R1
JUNOS 9.5R1
JUNOS 9.5R1
OSPFv2
JUNOS 9.0R2
JUNOS 9.4R1
Protocol Independent Multicast dense mode (PIM DM)
JUNOS 9.2R1
JUNOS 9.4R1
JUNOS 9.2R1
Not supported
JUNOS 9.0R2
JUNOS 9.4R1
A separate software license is required for BGP and MBGP.

See Software Licenses for the EX Series Switch
Overview on page 121.
Intermediate System-to-Intermediate System (IS-IS)
A separate software license is required for IS-IS. See
on page 121.
See the JUNOS Software Routing Protocols Guide at

http://www.juniper.net/techpubs/software/junos/junos96/index.html.
OSPF Multitopology Routing (MT-OSPF)
See the JUNOS Software Routing Protocols Guide at
See the JUNOS Software Multicast Configuration Guide at

Protocol Independent Multicast source specific multicast
(PIM SSM)
Protocol Independent Multicast sparse mode (PIM SM)

Feature Category
Multicast
MPLS
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Routing Information Protocol version 1 (RIPv1) and RIPv2
JUNOS 9.0R2
JUNOS 9.4R1
Single-source multicast
JUNOS 9.0R2
JUNOS 9.4R1
Static routes
JUNOS 9.0R2
JUNOS 9.4R1
IGMP snooping with routed VLAN interfaces (RVIs)
JUNOS 9.2R1
JUNOS 9.4R1
IGMPv3 snooping
JUNOS 9.6R1
JUNOS 9.6R1
Multicast VLAN registration (MVR)
JUNOS 9.6R1
Not supported
MPLS with RSVP-based label switched paths (LSPs) and

MPLS-based circuit cross-connects (CCCs)
JUNOS 9.5R1
Not supported
A separate software license is required for MPLS. See

on page 121.

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Network Management and

Monitoring
Class of service (CoS)Class-based queuing with

prioritization
JUNOS 9.0R2
JUNOS 9.4R1
Class of service (CoS)DSCP, IEEE 801.p, and IP

precedence packet rewrites are enabled on routed VLAN
interfaces (RVIs).
JUNOS 9.5R1
Not supported
Class of service (CoS)Interface-specific classifiers on

routed VLAN interfaces (RVIs)
JUNOS 9.4R1
Not supported
Class of service (CoS) multidestination
Not applicable
JUNOS 9.5R1
Class-of-service (CoS) support on LAGs
JUNOS 9.2R1
JUNOS 9.4R1
Class-of-service (CoS) support on routed VLAN interfaces

(RVIs)
JUNOS 9.4R1
JUNOS 9.4R1
Ethernet OAM link fault management (LFM)
JUNOS 9.4R1
Not supported
Interface-specific CoS rewrite rules
JUNOS 9.4R1
Not supported
JUNOS EZQoS for CoS
JUNOS 9.3R2
JUNOS 9.4R1
Policing
JUNOS 9.0R2
JUNOS 9.4R1
Port shaping and queue shaping
JUNOS 9.3R2
Not supported
Port mirroring
JUNOS 9.0R2
JUNOS 9.4R1
Port mirroring enhancements
JUNOS 9.5R1
JUNOS 9.5R1
RMON
JUNOS 9.0R2
JUNOS 9.4R1
Real-time performance monitoring (RPM)
JUNOS 9.3R2
Not supported
sFlow monitoring technology
JUNOS 9.3R2
Not supported
Simple Network Management Protocol version 1

(SNMPv1) and SNMPv2
JUNOS 9.0R2
JUNOS 9.4R1
Transparent bridging
JUNOS 9.0R2
JUNOS 9.4R1
Multiple VLAN support
Layer 3 interface support

Feature Category
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
Security
802.1X authentication
JUNOS 9.0R2
Not supported
Denial-of-service (DoS) and distributed DoS (DDoS)

protection
JUNOS 9.0R2
JUNOS 9.4R1
Dynamic firewall filters for 802.1X authentication
JUNOS 9.0R2
Not supported
Filter-based forwarding
JUNOS 9.4R1
JUNOS 9.6R1
Firewall filters and rate limiting
JUNOS 9.0R2
JUNOS 9.4R1
Firewall filters on LAGs
JUNOS 9.0R2
Not supported
Firewall filter on loopback interface
JUNOS 9.2R1
JUNOS 9.6R1
Firewall filter processing points, additional
JUNOS 9.3R2
Not applicable
Local proxy ARP
JUNOS 9.3R2
Not supported
MAC-based VLAN
JUNOS 9.2R1
Not supported
MAC RADIUS authentication
JUNOS 9.3R2
Not supported
Port security:
JUNOS 9.3R2
Not supported
JUNOS 9.0R2
Not supported
JUNOS 9.2R1
Not supported
JUNOS 9.4R1
Not supported
JUNOS 9.0R2
JUNOS 9.4R1
JUNOS 9.6R1
Not supported
JUNOS 9.3R2
JUNOS 9.4R1
DHCP option 82
Port security:
DHCP snooping
Dynamic ARP inspection (DAI)
MAC limiting
MAC move limiting
Port security:
IP source guard
Port security:
Persistent storage for DHCP snooping
Port security:
Static ARP support
Port security and storm control:
Automatic recovery for port error disable conditions
Server fail fallback
10

Feature Category
System Management
Feature
First Release
EX3200 and
EX4200
Switches
First Release
EX8200
Switches
TACACS+
JUNOS 9.0R2
JUNOS 9.4R1
Unicast reverse-path forwarding (RPF)
JUNOS 9.3R2
JUNOS 9.4R1
Unrestricted proxy ARP
JUNOS 9.6R1
Not supported
Autoinstallation
JUNOS 9.4R1
Not supported
IP directed broadcast
JUNOS 9.4R1
JUNOS 9.4R1
JUNOS command-line interface (CLI)For switch

configuration and management through the console,
Telnet, SSH, or J-Web CLI editor
JUNOS 9.0R2
JUNOS 9.4R1
J-Web interface, for switch configuration and

management
JUNOS 9.0R2
JUNOS 9.4R1
J-Web interface enhancements:
JUNOS 9.4R1
Not applicable
JUNOS 9.5R1
JUNOS 9.5R1
J-Web license-management tool
JUNOS 9.1R1
JUNOS 9.4R1
J-Web Port Troubleshooting tool
JUNOS 9.2R1
JUNOS 9.4R1
Platform-specific JUNOS Software installation

packagesEX Series switches have specific installation
packages for each family of switches. Names of the
installation packages include the switch family name.
JUNOS 9.4R1
JUNOS 9.4R1
Power over Ethernet (PoE) power management mode
JUNOS 9.3R2
Not supported
The dashboard displays the DC power supply.
The Monitoring Chassis Information page displays

details about the DC power supply.
The Virtual Chassis Monitoring page displays details

of Virtual Chassis port (VCP) error and drop counts,
VCP maximum bandwidth, and VCP actual
bandwidth.
J-Web interface enhancements:
The Interface Configuration page displays details

about port role configuration.
The Link Aggregation Configuration page supports

aggregating interfaces with any speed setting.
Configuring spanning-tree protocols, GVRP, IGMP

snooping, and redundant trunk groups is supported.
Monitoring Ethernet switching, spanning-tree

protocols, GVRP, and IGMP snooping is supported.
Setting up real-time performance monitoring (RPM)

and viewing monitoring results is supported.
11
Related Topics
Features in JUNOS Software for EX-series Switches, Release 9.1
Features in JUNOS Software for EX-series Switches, Release 9.2
New Features in JUNOS Software for EX-series Switches, Release 9.3
New Features in JUNOS Release 9.6 for EX Series Switches
EX3200 and EX4200 Switches Hardware Overview on page 24
EX8208 Switch Hardware Overview on page 27
High Availability Features for EX Series Switches Overview on page 17
Layer 3 Protocols Supported on EX Series Switches

EX Series switches support the JUNOS layer 3 features and configuration statements
listed in Table 2 on page 12:
Table 2: Supported JUNOS Layer 3 Protocol Statements and Features
Protocol
Notes
For More Information
BGP
Fully supported.
See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.
BFD
Fully supported.

ICMP
Fully supported.

http://www.juniper.net/techpubs/software/junos/
IGMPv1, v2 and
v3
Fully supported.
See the JUNOS Software Multicast Configuration Guide

at
IS-IS
Supported, with the exceptions noted in Layer 3

Protocols Not Supported on EX Series Switches on
page 13.

MPLS

page 13.
See the JUNOS MPLS Applications Configuration

Guide at
OSPFv1, v2 and
v3

page 13.

12
Layer 3 Protocols Supported on EX Series Switches
Table 2: Supported JUNOS Layer 3 Protocol Statements and Features (continued)

Protocol
Notes
For More Information
PIM
Supported, with the exception of IPv6.
See the JUNOS Software Multicast Configuration Guide

at
RIP
Fully supported.

RIPng
Fully supported.

SNMP
Fully supported.
See the JUNOS Software Network Management

VRRP
Fully supported with exception of IPv6 support of

VRRP on routed VLAN interfaces.
See High Availability Features for EX Series

Switches Overview on page 17. See also the JUNOS
Software High Availability Guide at
Related Topics
Layer 3 Protocols Not Supported on EX Series Switches

EX Series switches do not support the JUNOS Layer 3 protocols and features listed
in Table 3 on page 13:
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported
Feature
Configuration Statements Not Supported on EX Series Switches
DVMRP
dvmrp and subordinate statements
Flow aggregation (cflowd)
cflow and subordinate statements
GRE
Not supported
IPSec
[edit services] statements related to IPSec
IS-IS:
clns-routing statement
ipv6-multicast statement
ES-IS
IPv6 in multicast routing

protocols
lsp-interval statement
label-switched-path statement
lsp-lifetime statement
te-metric statement
13
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature
Layer 2 Tunneling Protocol

(L2TP)
l2tp and subordinate statements
Logical routers
logical-routers and subordinate statements
MLD
mld and all subordinate statements
MPLS:
ldp and all subordinate statements
Network Address Translation

(NAT)
nat and subordinate statements
Policy statements related to NAT
OSPF
demand-circuit statement
label-switched-path and subordinate statements
neighbor statement within an OSPF area
peer-interface and subordinate statements within an OSPF area
sham-link statement
te-metric statement
inet6 family
l2vpn and subordinate statements
ldp and subordinate statements
vpls and subordinate statements
sap and all subordinate statements
Fast Reroute (FRR)
Label Distribution
Protocol (LDP)
Layer 3 VPNs
Multiprotocol BGP
(MP-BGP) for VPN-IPv4
family
Pseudowire emulation
(PWE3)
Routing policy
statements related to
Layer 3 VPNs and MPLS
Virtual Private LAN

Service (VPLS)
PIM:
IPv6
Routing instances:
Routing instance
forwarding
SAP and SDP
14
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature
General routing options in the

routing-options hierarchy:
auto-export and subordinate statements
dynamic-tunnels and subordinate statements
MPLS and
label-switched-paths
lsp-next-hop and subordinate statements
multicast and subordinate statements
p2mp-lsp-next-hop and subordinate statements
route-distinguisher-id statement
accounting and subordinate statements
family mpls and family multiservice under hash-key hierarchy
Under monitoring group-name family inet output hierarchy:
Traffic sampling and

fowarding in the
forwarding-options hierarchy
Related Topics
cflowd statement
export-format-cflowd-version-5 statement
flow-active-timeout statement
flow-export-destination statement
flow-inactive-timeout statement
interface statement
port-mirroring statement (On EX Series switches, port mirroring is implemented using the
analyzer statement.)
sampling and subordinate statements
Security Features for EX Series Switches Overview

Juniper Networks JUNOS Software is a network operating system that has been
hardened through the separation of control forwarding and services planes, with
each function running in protected memory. The control-plane CPU is protected by
rate limiting, routing policy, and firewall filters to ensure switch uptime even under
severe attack. In addition, the switches fully integrate with the Juniper Networks
Unified Access Control (UAC) product to provide both standards-based 802.1X
port-level access and Layer 2 through Layer 4 policy enforcement based on user
identity. Access port security features such as dynamic Address Resolution Protocol
(ARP) inspection, DHCP snooping, and MAC limiting are controlled through a single
JUNOS CLI command.
Juniper Networks EX Series Ethernet Switches provide the following hardware and
software security features:
Console PortAllows use of the console port to connect to the Routing Engine
through an RJ-45 cable. You then use the command-line interface (CLI) to configure
the switch.
Out-of-Band ManagementA dedicated management Ethernet port on the rear
panel allows out-of-band management.
15
Software ImagesAll JUNOS Software images are signed by Juniper Networks

certificate authority (CA) with public key infrastructure (PKI).
User Authentication, Authorization, and Accounting (AAA)Features include:
User and group accounts with password encryption and authentication.
Access privilege levels configurable for login classes and user templates.
RADIUS authentication, TACACS+ authentication, or both, for authenticating

users who attempt to access the switch.
Auditing of configuration changes through system logging or RADIUS/TACACS+.
802.1X AuthenticationProvides network access control. Supplicants (hosts) are

authenticated when they initially connect to a LAN. Authenticating supplicants before
they receive an IP address from a DHCP server prevents unauthorized supplicants
from gaining access to the LAN. EX Series switches support Extensible Authentication
Protocol (EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
Port SecurityAccess port security features include:
DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted

ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database).
Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests

and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons.
MAC limitingProtects against flooding of the Ethernet switching table.
MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Trusted DHCP serverWith a DHCP server on a trusted port, protects against

rogue DHCP servers sending leases.
IP source guardMitigates the effects of IP address spoofing attacks on the

Ethernet LAN. The source IP address in the packet sent from an untrusted access
interface is validated against the source MAC address in the DHCP snooping
database. The packet is allowed for further processing if the source IP address
to source MAC address binding is valid; if the binding is not valid, the packet is
discarded.
DHCP option 82Also known as the DHCP relay agent information option. Helps
protect the EX Series switch against attacks such as spoofing (forging) of IP
addresses and MAC addresses and DHCP IP address starvation. Option 82
provides information about the network location of a DHCP client, and the DHCP
server uses this information to implement IP addresses or other parameters for
the client.
Unrestricted proxy ARPThe switch responds to all ARP messages with its own
MAC address. Hosts that are connected to the switchs interfaces cannot
communicate directly with other hosts. Instead all communications between
hosts go through the switch.
Device SecurityStorm control permits the switch to monitor unknown unicast and
broadcast traffic and drop packets, or shut down, or temporarily disable the interface
16
when a specified traffic level is exceeded, thus preventing packets from proliferating
and degrading the LAN. You can enable storm control on access interfaces or trunk
interfaces.
Firewall FiltersAllow auditing of various types of security violations, including
attempts to access the switch from unauthorized locations. Firewall filters can detect
such attempts and create audit log entries when they occur. The filters can also
restrict access by limiting traffic to source and destination MAC addresses, specific
protocols, or, in combination with policers, to specified data rates to prevent denial
of service (DoS) attacks.
PolicersProvide rate-limiting capability to control the amount of traffic that enters
an interface, which acts to counter DoS attacks.
Encryption StandardsSupported standards include:
Related Topics
128-, 192-, and 256-bit Advanced Encryption Standard (AES)
56-bit Data Encryption Standard (DES) and 168-bit 3DES
802.1X for EX Series Switches Overview on page 865
Firewall Filters for EX Series Switches Overview on page 1249
Port Security for EX Series Switches Overview on page 1063
Understanding Proxy ARP for Port Security on EX Series Switches on page 1084
Understanding Storm Control on EX Series Switches on page 475
Understanding the Use of Policers in Firewall Filters on page 1274
High Availability Features for EX Series Switches Overview

High availability refers to the hardware and software components that provide
redundancy and reliability for packet-based communications. This topic covers the
following high availability features of Juniper Networks EX Series Ethernet Switches:
VRRP on page 17
Graceful Protocol Restart on page 19
EX4200 Redundant Routing Engines on page 20
EX4200 Graceful Routing Engine Switchover on page 20
EX4200 Virtual Chassis Software Upgrade and Failover Features on page 21
Link Aggregation on page 21
Additional High Availability Features of EX Series Switches on page 21
VRRP
For Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces
on EX Series switches, you can configure the Virtual Router Redundancy Protocol
(VRRP). The switches act as virtual routing platforms. VRRP enables hosts on a LAN
to make use of redundant routing platforms on that LAN without requiring more than
the static configuration of a single default route on the hosts. The VRRP routing
17
platforms share the IP address corresponding to the default route configured on the
hosts. At any time, one of the VRRP routing platforms is the master (active) and the
others are backups. If the master routing platform fails, one of the backup routing
platforms becomes the new master, providing a virtual default routing platform and
enabling traffic on the LAN to be routed without relying on a single routing platform.
Using VRRP, a backup EX Series switch can take over a failed default switch within
few seconds. This is done with minimum VRRP traffic and without any interaction
with the hosts.
NOTE: The VRRP master and backup routing platforms should not be confused with
the master and backup member switches of a Virtual Chassis configuration. The
master and backup members of a Virtual Chassis configuration compose a single
host. In a VRRP topology, one host operates as a master routing platform and another
host operates as a backup routing platform, as shown in Figure 2 on page 19.
Switches running VRRP dynamically elect master and backup routing platforms. You
can also force assignment of master and backup routing platforms using priorities
from 1 through 255, with 255 being the highest priority. In VRRP operation, the
default master routing platform sends advertisements to backup routing platforms
at regular intervals. The default interval is 1 second. If a backup routing platform
does not receive an advertisement for a set period, the backup routing platform with
the next highest priority takes over as master and begins forwarding packets.
Figure 1 on page 18 illustrates a basic VRRP topology with EX Series switches. In
this example, Switches A, B, and C are running VRRP and together they make up a
virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1
(the same address as the physical interface of Switch A).
Figure 1: Basic VRRP on EX Series Switches
Figure 2 on page 19 illustrates a basic VRRP topology using Virtual Chassis

configurations. Switch A, Switch B, and Switch C are each composed of multiple
interconnected Juniper Networks EX4200 Ethernet Switches. Each Virtual Chassis
configuration operates as a single switch, which is running VRRP, and together they
18
make up a virtual routing platform. The IP address of this virtual routing platform is
10.10.0.1 (the same address as the physical interface of Switch A).
Figure 2: VRRP on EX 4200 Virtual Chassis Switches
Because the virtual routing platform uses the IP address of the physical interface of
Switch A, Switch A is the master VRRP routing platform, while switches B and C
function as backup VRRP routing platforms. Clients 1 through 3 are configured with
the default gateway IP address of 10.10.0.1. As the master router, Switch A forwards
packets sent to its IP address. If the master virtual routing platform fails, the switch
configured with the higher priority becomes the master virtual routing platform and
provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes
the master virtual routing platform again.
VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.
Graceful Protocol Restart

With standard implementations of routing protocols, any service interruption requires
an affected switch to recalculate adjacencies with neighboring switches, restore
routing table entries, and update other protocol-specific information. An unprotected
restart of a switch can result in forwarding delays, route flapping, wait times stemming
from protocol reconvergence, and even dropped packets. Graceful protocol restart
allows a restarting switch and its neighbors to continue forwarding packets without
disrupting network performance. Because neighboring switches assist in the restart
(these neighbors are called helper switches), the restarting switch can quickly resume
full operation without recalculating algorithms from scratch.
On EX Series switches, graceful protocol restart can be applied to aggregate and
static routes and for routing protocols (BGP, IS-IS, OSPF and RIP).
Graceful protocol restart works similarly for the different routing protocols. The main
benefits of graceful protocol restart are uninterrupted packet forwarding and
19
temporary suppression of all routing protocol updates. Graceful protocol restart thus
allows a switch to pass through intermediate convergence states that are hidden
from the rest of the network. Most graceful restart implementations define two types
of switchesthe restarting switch and the helper switch. The restarting switch requires
rapid restoration of forwarding state information so it can resume the forwarding of
network traffic. The helper switch assists the restarting switch in this process.
Individual graceful restart configuration statements typically apply to either the
restarting switch or the helper switch.
EX4200 Redundant Routing Engines

Two to ten EX4200 switches can be interconnected to create a Virtual Chassis
configuration that operates as a single network entity. Every Virtual Chassis
configuration with two or more members has a master and a backup. The master
acts as the master Routing Engine and the backup acts as the backup Routing Engine.
The Routing Engine provides the following functionality:
Runs various routing protocols
Provides the forwarding table to the Packet Forwarding Engines (PFEs) in all the
member switches of the Virtual Chassis configuration
Runs other management and control processes for the entire Virtual Chassis
configuration
The master Routing Engine, which is in the master of the Virtual Chassis configuration,
runs Juniper Networks JUNOS Software in the master role. It receives and transmits
routing information, builds and maintains routing tables, communicates with
interfaces and Packet Forwarding Engine components of the member switches, and
has full control over the Virtual Chassis configuration.
The backup Routing Engine, which is in the backup of the Virtual Chassis
configuration, runs JUNOS Software in a backup role. It stays in sync with the master
Routing Engine in terms of protocol states, forwarding tables, and so forth. If the
master becomes unavailable, the backup Routing Engine takes over the functions
that the master Routing Engine performs.
EX4200 Graceful Routing Engine Switchover

You can configure graceful Routing Engine switchover (GRES) in a Virtual Chassis
configuration, allowing the configuration to switch from the master Routing Engine
in the master to the backup Routing Engine in the backup with minimal interruption
to network communications. When you configure graceful Routing Engine switchover,
the backup Routing Engine automatically synchronizes with the master Routing
Engine to preserve kernel state information and forwarding state. Any updates to
the master Routing Engine are replicated to the backup Routing Engine as soon as
they occur. If the kernel on the master Routing Engine stops operating, the master
Routing Engine experiences a hardware failure, or the administrator initiates a manual
switchover, mastership switches to the backup Routing Engine.
When the backup Routing Engine assumes mastership in a redundant failover
configuration (when graceful Routing Engine switchover is not enabled), the Packet
Forwarding Engines initialize their state to boot up state before they connect to the
new master Routing Engine. In contrast, in a graceful switchover configuration, the
20
Packet Forwarding Engines do not reinitialize their state, but instead resynchronize
their state with the new master Routing Engine. The interruption to the traffic is
minimal.
Graceful Routing Engine switchover on EX4200 switches supports software features
in JUNOS Release 9.2 or later for EX Series switches.
EX4200 Virtual Chassis Software Upgrade and Failover Features

EX4200 switches provide these features for increased resiliency in Virtual Chassis
configurations:
Virtual Chassis atomic software upgradeWhen you upgrade software in a Virtual

Chassis configuration, the upgrade will either succeed or fail on all member
switches, preventing the situation in which only some Virtual Chassis member
switches are upgraded.
Virtual Chassis fast failoverA hardware-assisted failover mechanism that

automatically reroutes traffic and reduces traffic loss in the event of a link failure.
Virtual Chassis split and mergeIf there is a disruption to the Virtual Chassis
configuration due to member switches failing or being removed from the
configuration, the Virtual Chassis configuration splits into two separate Virtual
Chassis.
Link Aggregation
You can combine multiple physical Ethernet ports to form a logical point-to-point
link, known as a link aggregation group (LAG) or bundle. A LAG provides more
bandwidth than a single Ethernet link can provide. Additionally, link aggregation
provides network redundancy by load-balancing traffic across all available links. If
one of the links should fail, the system automatically load-balances traffic across all
remaining links.
You can select up to eight Ethernet interfaces and include them within a link
aggregation group. In an EX4200 Virtual Chassis configuration composed of multiple
members, the interfaces that compose a LAG can be on different members of the
Virtual Chassis. See Understanding Virtual Chassis Configurations and Link
Aggregation on page 188.
Additional High Availability Features of EX Series Switches

To ensure continuous operation, all EX Series switches use field-replaceable power
supply units, fan trays, and uplink modules. EX 4200 switches include options for
external power-supply redundancy.
The Juniper Networks EX3200 Ethernet Switches support a single field-replaceable
power supply unit, a field-replaceable fan tray, and a field-replaceable uplink module.
The EX4200 switches supports connection of Virtual Chassis members using two
dedicated Virtual Chassis ports (VCPs) on the rear panel or SFP uplink module ports.
The EX4200 switches also support two internal load-sharing redundant hot-swappable
21
power supplies, field-replaceable fan trays with redundant blowers, and

field-replaceable uplink modules that provide SFP or XFP ports.
Notification of hardware issues is provided through system log messages and alarms.
Related Topics
For more information on high availability features, see the JUNOS Software High
Availability Configuration Guide at
Virtual Chassis Overview on page 177
Understanding Virtual Chassis Components on page 180
Understanding Virtual Chassis Configurations and Link Aggregation on page 188
Understanding Software Infrastructure and Processes

Each switch runs the Juniper Networks JUNOS Software for Juniper Networks EX
Series Ethernet Switches on its general-purpose processors. JUNOS Software includes
processes for Internet Protocol (IP) routing and for managing interfaces, networks,
and the chassis.
The JUNOS Software runs on the Routing Engine. The Routing Engine kernel
coordinates communication among the JUNOS Software processes and provides a
link to the Packet Forwarding Engine.
With the J-Web interface and the command-line interface (CLI) to the JUNOS Software,
you configure switching features and routing protocols and set the properties of
network interfaces on your switch. After activating a software configuration, use
either the J-Web or CLI user interface to monitor the switch, manage operations, and
diagnose protocol and network connectivity problems.
Routing Engine and Packet Forwarding Engine on page 22
JUNOS Software Processes on page 23
Routing Engine and Packet Forwarding Engine

A switch has two primary software processing components:
22
Packet Forwarding EngineProcesses packets; applies filters, routing policies,

and other features; and forwards packets to the next hop along the route to their
final destination.
Routing EngineProvides three main functions:
Creates the packet forwarding switch fabric for the switch, providing route
lookup, filtering, and switching on incoming data packets, then directing
outbound packets to the appropriate interface for transmission to the network
Maintains the routing tables used by the switch and controls the routing
protocols that run on the switch.
Provides control and monitoring functions for the switch, including controlling
power and monitoring system status.
JUNOS Software Processes

The JUNOS Software running on the Routing Engine and Packet Forwarding Engine
consists of multiple processes that are responsible for individual functions.
The separation of functions provides operational stability, because each process
accesses its own protected memory space. In addition, because each process is a
separate software package, you can selectively upgrade all or part of the JUNOS
Software, for added flexibility.
Table 4 on page 23 describes the primary JUNOS Software processes.
Table 4: JUNOS Software Processes
Process
Name
Description
Chassis process
chassisd
Detects hardware on the system that is used to configure network interfaces.

Monitors the physical status of hardware components and field-replaceable units
(FRUs), detecting when environment sensors such as temperature sensors are triggered.
Relays signals and interruptsfor example, when devices are taken offline, so that
the system can close sessions and shut down gracefully.
Ethernet
switching
process
eswd
Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree
protocol and access port security. The process is also responsible for managing Ethernet
switching interfaces, VLANs, and VLAN interfaces.
Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.
Forwarding
process
pfem
Defines how routing protocols operate on the switch. The overall performance of the
switch is largely determined by the effectiveness of the forwarding process.
Interface
process
dcd
Configures and monitors network interfaces by defining physical characteristics such

as link encapsulation, hold times, and keepalive timers.
Management
process
mgd
Provides communication between the other processes and an interface to the

configuration database.
Populates the configuration database with configuration information and retrieves the
information when queried by other processes to ensure that the system operates as
configured.
Interacts with the other processes when commands are issued through one of the user
interfaces on the switch.
If a process terminates or fails to start when called, the management process attempts
to restart it a limited number of times to prevent thrashing and logs any failure
information for further investigation.
Routing protocol
process
rpd
Related Topics
Defines how routing protocols such as RIP, OSPF, and BGP operate on the device,
including selecting routes and maintaining forwarding tables.
For more information about processes, see the JUNOS Network Operations Guide
at http://www.juniper.net/techpubs/software/junos/junos90/index.html.
23
For more information about basic system parameters, supported protocols, and
software processes, see JUNOS System Basics Configuration Guide at
Supported Hardware
EX3200 Switch Models on page 26
EX3200 and EX4200 Switches Hardware Overview

Juniper Networks EX Series Ethernet Switches provide scalable connectivity for the
enterprise market, including branch offices, campus locations, and data centers. The
switches run under the Juniper Networks JUNOS Software, which provides Layer 2
and Layer 3 switching, routing, and security services. The same JUNOS code base
that runs on EX Series switches also runs on all Juniper Networks J Series, M Series,
MX Series, and T Series routers.
EX3200 and EX4200 Switch Types on page 24
EX3200 Switches on page 25
Uplink Modules on page 26
Power over Ethernet (PoE) Ports on page 26
EX3200 and EX4200 Switch Types

Juniper Networks EX3200 and EX4200 Ethernet Switches are two closely related
product lines:
EX3200 switchesTypically, you deploy these switches in branch environments

or wiring closets.
EX4200 switchesYou can interconnect EX4200 switches to form a Virtual

Chassis that operates as a single network entity. You can deploy these switches
wherever you need a high density of Gigabit Ethernet ports (24 to 480 ports),
redundancy, or the ability to span a single switch across several wiring closets.
Typically, EX4200 switches are used in large branch offices, campus wiring
closets, and top-of-rack locations in a data center.
Both lines have these features:
24
Run under JUNOS Software for EX Series switches
Have options of 24-port and 48-port models
Supported Hardware
Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE)
capability
Have optional uplink modules that provide connection to distribution switches
EX3200 Switches
EX3200 switches provide connectivity for low-density environments. Typically, you
deploy these switches in branch environments or wiring closets where only one
switch is required.
EX3200 switches are available in models with either 24 or 48 ports and with either
all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE.
All models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors
and optional 1-gigabit small form-factor pluggable (SFP) transceivers, 10-gigabit small
form-factor pluggable (SFP+) transceivers, or 10-gigabit small form-factor pluggable
(XFP) transceivers for use with fiber connections.
EX3200 switches include:
A field-replaceable power supply and an optional additional connection to an

external power source.
A field-replaceable fan tray with single fan.
JUNOS Software with its modular design that enables failed system processes to
gracefully restart.
EX4200 Switches
EX4200 switches provide connectivity for medium- and high-density environments
and scalability for growing networks. These switches can be deployed wherever you
need a high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy.
Typically, EX4200 switches are used in large branch offices, campus wiring closets,
and data centers where they can be positioned as the top device in a rack to provide
connectivity for all the devices in the rack.
You can connect individual EX4200 switches together to form one unit and manage
the unit as a single chassis, called a Virtual Chassis. You can add more member
switches to the Virtual Chassis as needed, up to a total of 10 members.
EX4200 switches are available in models with 24 or 48 ports and with either all ports
equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All models
provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and optional
1-gigabit small form-factor pluggable (SFP) transceivers, 10-gigabit small form-factor
pluggable (SFP+) transceivers, or 10-gigabit small form-factor pluggable (XFP)
transceivers for use with fiber connections.
Additionally, a 24-port model provides 100Base-FX/1000Base-X SFP transceivers.
This model is typically used as a small distribution switch.
All EX4200 switches have dedicated 64-Gbps Virtual Chassis ports that allow you to
connect the switches to each other. You can also use optional uplink module ports
to connect members of a Virtual Chassis across multiple wiring closets.
EX3200 and EX4200 Switches Hardware Overview
25
To provide carrier-class reliability, EX4200 switches include:
Dual redundant power supplies that are field-replaceable and hot-swappable. An

optional additional connection to an external power source is also available.
A field-replaceable fan tray with three fans. The switch remains operational if a
single fan fails.
Redundant Routing Engines in a Virtual Chassis configuration. This redundancy

enables GRES (graceful Routing Engine switchover) and nonstop active routing.
JUNOS Software with its modular design that enables failed system processes to
gracefully restart.
Uplink Modules
Optional uplink modules are available for all EX3200 and EX4200 switches. Uplink
modules provide two 10-gigabit small form-factor pluggable (XFP) transceivers, four
1-gigabit small form-factor pluggable (SFP) transceivers, or two 10-gigabit small
form-factor pluggable (SFP+) transceivers. You can use XFP, SFP, or SFP+ ports to
connect an access switch to a distribution switch or to interconnect member switches
of a Virtual Chassis across multiple wiring closets.
Power over Ethernet (PoE) Ports

PoE ports provide electrical current to devices through the network cables so that
separate power cords for devices such as IP phones, wireless access points, and
security cameras are unnecessary. Both the EX3200 and EX4200 switches have
options of full (all 24 or 48 ports) or partial (8 ports) PoE capability.
Full PoE models are primarily used in IP telephony environments. Partial PoE models
are used in environments where, for example, only a few ports for wireless access
points or security cameras are required.
Related Topics
Field-Replaceable Units in EX3200 and EX4200 Switches
Site Preparation Checklist for EX3200 and EX4200 Switches
EX3200 Switch Models

The EX3200 switch is available with 24 or 48 ports with partial or full Power over
Ethernet (PoE) capability. Table 5 on page 26 lists the EX3200 switch models.
Table 5: EX3200 Switch Models
Model
Typical Deployment
Access Ports
Number of PoE-enabled
Ports
Power Supply
(Minimum)
EX3200-24T
Access or Distribution
switch
24 Gigabit Ethernet
First 8 ports
320 W
26
Table 5: EX3200 Switch Models (continued)

Model
Typical Deployment
Access Ports
Number of PoE-enabled
Ports
Power Supply
(Minimum)
EX3200-24P
Access switch
24 Gigabit Ethernet
All 24 ports
600 W
EX3200-48T
Access or Distribution
switch
48 Gigabit Ethernet
First 8 ports
320 W
EX3200-48P
Access switch
48 Gigabit Ethernet
All 48 ports
930 W
Related Topics
Front Panel of an EX3200 Switch
Rear Panel of an EX3200 Switch

The EX4200 switch is available with 24 or 48 ports and with partial or full Power
over Ethernet (PoE) capability. Table 6 on page 27 lists the EX4200 switch models.
Table 6: EX4200 Switch Models
Model
Ports
Number of PoE-enabled Ports
Power Supply
(Minimum)
EX4200-24T
24 Gigabit Ethernet
First 8 ports
320 W
EX4200-24P
24 Gigabit Ethernet
All 24 ports
600 W
EX4200-48T
48 Gigabit Ethernet
First 8 ports
320 W
EX4200-48P
48 Gigabit Ethernet
All 48 ports
930 W
EX4200-24F
24 small form-factor pluggable

(SFP) transceivers
Not applicable
320 W
Related Topics
Rear Panel of an EX4200 Switch
EX8208 Switch Hardware Overview

Juniper Networks EX8208 Ethernet Switches provide high performance, scalable
connectivity, and carrier-class reliability for high-density environments such as
campus-aggregation and data-center networks. The EX8208 switch is a modular
system that provides high availability and redundancy for all major hardware
components, including Routing Engines, switch fabric, fan tray, and power supplies.
27
You can manage EX8208 switches using the same JUNOS interfaces that you use for
other JUNOS platformsthe JUNOS command-line interface (CLI), the J-Web graphical
interface, and Network and Security Manager (NSM).
Software on page 28
Chassis Physical Specifications on page 28
Routing Engines and Switch Fabric on page 29
Line Cards on page 30
Cooling System on page 30
Power Supplies on page 30
Software
The Juniper Networks EX Series Ethernet SwitchesJuniper Networks EX3200
Ethernet Switches, Juniper Networks EX4200 Ethernet Switches, and Juniper Networks
EX8200 Ethernet Switchesrun under the Juniper Networks JUNOS Software, which
provides Layer 2 and Layer 3 switching, routing, and security services. The same
JUNOS code base that runs on EX Series switches also runs on all Juniper Networks
J Series, M Series, MX Series, and T Series routers.
Chassis Physical Specifications

The EX8208 switch is 14 rack units (14 U) in size (1/3 rack); three EX8208 switches
can fit in a standard 42 U rack. Each EX8208 switch is designed to optimize rack
space and cabling. See Figure 3 on page 29.
28
Figure 3: EX8208 Switch
The EX8208 switch has a chassis-level LCD panel that displays Routing Engine and
switch fabric status as well as chassis components alarm information for rapid
problem identification. The LCD panel provides a user-friendly interface for performing
initial switch configuration, rolling back a configuration, or restoring the switch to
its default settings. See LCD Panel in an EX8200 Switch.
The EX8208 chassis backplane distributes the data, control, and management signals
to various system components along with distributing power throughout the system.
See Chassis Physical Specifications of an EX8208 Switch.
Routing Engines and Switch Fabric

Switching functionality, system management, and system control functions of an
EX8208 switch are performed by the Switch Fabric and Routing Engine (SRE) module.
See Switch Fabric and Routing Engine (SRE) Module in an EX8208 Switch. An SRE
module contains a Routing Engine and switch fabric. The SRE modules are installed
in the front of the chassis in the slots labeled SRE0 and SRE1. See Slot Numbering
29
for an EX8208 Switch. A base configuration EX8208 switch has one SRE module. A
redundant configuration EX8208 switch has a second SRE module. See EX8208
Switch Configurations.
The Switch Fabric (SF) module, working with the SRE module, provides the necessary
switching functionality to a base configuration EX8208 switch. The SF module is
installed in the front of the chassis in the slot labeled SF. In a redundant configuration
the SF module provides a redundant switch fabric. The additional switch fabric
provides full 2+1 switch fabric redundancy to the switch. See Switch Fabric (SF)
Module in an EX8208 Switch.
Line Cards
The EX8208 switch features eight horizontal line card slots and supports the line rate
for each line card. The line cards in EX8200 switches combine a Packet Forwarding
Engine and Ethernet interfaces on a single assembly. They are field-replaceable units
(FRUs) that can be installed in the line card slots labeled 0 through 7 on the front of
the switch chassis. See Slot Numbering for an EX8208 Switch. All line cards are
hot-insertable and hot-removable.
The following line cards are available for EX8208 switches:
8-port 10-Gigabit Ethernet SFP+ line card: This line card has eight 10-gigabit
SFP+ ports on its faceplate in which you can install SFP+ transceivers. See
8-port SFP+ Line Card in an EX8200 Switch.
48-port 10/100/1000 RJ-45 line card: This line card had 48 10/100/1000 Gigabit
Ethernet ports with RJ-45 connectors on its faceplate. See 48-port RJ-45 Line
Card in an EX8200 Switch.
48-port 100/1000 SFP line card: This line card has 48 1-gigabit SFP ports on its
faceplate in which you can install SFP transceivers. See 48-port SFP Line Card
in an EX8200 Switch.
Cooling System
The cooling system in an EX8208 switch consists of a hot-swappable fan tray. The
fan tray contains 12 fans. The fan tray installs vertically on the left front of the chassis
and provides side-to-side chassis cooling. See Cooling System in an EX8208 Switch.
Power Supplies
Power supplies for the EX8208 switch are fully redundant and hot-swappable. Each
EX8208 switch chassis can hold up to six 2000 W AC power supplies. Each power
supply delivers 2000 W of power at high line (200240 VAC) or 1200 W at low line
(100120 VAC) to the chassis. Only two power supplies are required for the base
configuration and switch powerup. The redundant configuration has six power
supplies that provide the capacity to power all possible line card configurations and
to support N+1 and N+N power redundancies. See AC Power Supply in an EX8200
Switch.
Related Topics
30
Field-Replaceable Units in an EX8208 Switch
Connecting and Configuring an EX Series Switch (CLI Procedure) on page 79
Connecting and Configuring an EX Series Switch (J-Web Procedure) on page 81

The Juniper Networks EX8216 Ethernet Switch is a half-rack, midplane architecture,
modular Ethernet switch that is designed for ultra high-density environments such
as campus aggregation, data center, or high performance core switching
environments. EX8216 switches provide high-availability and redundancy for all
major hardware components, including Routing Engine (RE) modules, Switch Fabric
(SF) modules, fan trays (with redundant fans), and load-sharing 2000 W AC, 3000 W
AC and 3000 W DC power supplies. Like other Juniper Networks EX8200 Ethernet
Switches, EX8216 switches provide high performance, scalable connectivity, and
carrier-class reliability.
You can manage EX8216 switches using the same JUNOS interfaces that you use for
other JUNOS platformsthe JUNOS command-line interface (CLI), the J-Web graphical
interface, and Network and Security Manager (NSM).
Software on page 31
Chassis Physical Specifications, LCD Panel, and Midplane on page 31
Routing Engines and Switch Fabric on page 33
Line Cards on page 34
Cooling System on page 34
Power Supplies on page 35
Software
The EX Series switchesJuniper Networks EX3200 Ethernet Switch, Juniper Networks
EX4200 Ethernet Switch, and Juniper Networks EX8200 Ethernet Switch modelsrun
under the Juniper Networks JUNOS Software, which provides Layer 2 and Layer 3
switching, routing, and security services. The same JUNOS code base that runs on
EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series,
and T Series routers.
Chassis Physical Specifications, LCD Panel, and Midplane

EX8216 switches are designed to optimize rack space and cabling. The EX8216
switch is 21 rack units (21 U) in size (1/2 rack); two EX8216 switches can fit in a
standard 42 U rack. See Figure 4 on page 32 and Figure 5 on page 33 and Chassis
Physical Specifications of an EX8216 Switch.
31
Figure 4: EX8216 Switch Front
32
Figure 5: EX8216 Switch Rear
The EX8216 switch has a chassis-level LCD panel that displays Routing Engine and
switch fabric status as well as chassis components alarm information for rapid
problem identification. The LCD panel provides a user-friendly interface for performing
initial switch configuration, rolling back a configuration, or restoring the switch to
the factory default configuration. See LCD Panel in an EX8200 Switch.
The EX8216 chassis midplane distributes the data, control, and management signals
to system components and distributes power throughout the system. See Midplane
Routing Engines and Switch Fabric

System management and system control functions of an EX8216 switch are
performed by the Routing Engine (RE) module. An RE module contains a Routing
Engine. The RE modules are hot-insertable and hot-removable field-replaceable units
33
(FRUs) that are installed in the front of the chassis in the slots labeled RE0 and RE1.
A base configuration (AC version) EX8216 switch has one RE module. A redundant
configuration (AC and DC versions) EX8216 switch has a second RE module for
redundancy. See Routing Engine (RE) Module in an EX8216 Switch and EX8216
Switch Configurations.
The Switch Fabric (SF) modules provide the switching functionality to an EX8216
switch. The SF modules are hot-insertable and hot-removable field-replaceable units
(FRUs). All eight SF modules are installed in the rear of the chassis in the slots labeled
SF7 through SF0. In an EX8216 switch, all eight SF modules are active and must be
installed in the switch for normal operation. If a single SF module fails, the
input/output traffic for that module is load-balanced among the remaining SF modules,
providing graceful degradation in midplane performance. The impact of an SF module
failure on the performance of an EX8216 switch varies based on the type of line
cards installed in the switch and the traffic mix flowing through them. In an EX8216
switch configuration that is fully loaded with 8-port 10-Gigabit Ethernet SFP+ line
cards, if one SF module fails, the remaining seven SF modules still have sufficient
switching capacity to maintain continuous switch operation at full wire-rate
performance. See Switch Fabric (SF) Modules in an EX8216 Switch.
Line Cards
The EX8216 switch features 16 horizontal line card slots and supports wire-rate
performance for all packet sizes for the installed line cards. The line cards in EX8200
switches combine a Packet Forwarding Engine and Ethernet interfaces on a single
assembly. They are field-replaceable units (FRUs), and you can install them in the
slots labeled 0 through 15 on the front of the switch chassis. All line cards are
hot-insertable and hot-removable.
The following line cards are available for EX8216 switches:
8-port 10-Gigabit Ethernet SFP+ line card: This line card has eight 10-gigabit
SFP+ ports on its faceplate in which you can install SFP+ transceivers. See
8-port SFP+ Line Card in an EX8200 Switch.
48-port 10/100/1000 RJ-45 line card: This line card has 48 10/100/1000 Gigabit
Ethernet ports with RJ-45 connectors on its faceplate. See 48-port RJ-45 Line
Card in an EX8200 Switch.
48-port 100/1000 SFP line card: This line card has 48 1-gigabit SFP ports on its
faceplate in which you can install SFP transceivers. See 48-port SFP Line Card
Cooling System
The cooling system in an EX8216 switch consists of two hot-insertable and
hot-removable, field-replaceable unit (FRU) fan trays. Each fan tray contains nine
fans. Both fan trays install vertically on the left front of the chassis and provide
side-to-side chassis cooling and front-to-side cooling. The top and bottom fan trays
are identical and interchangeable. However, only the top fan tray cools the SF modules
installed in the rear of the chassis. See Cooling System in an EX8216 Switch.
34
Power Supplies
Power supplies for the EX8216 switch are fully redundant, load-sharing, and
hot-insertable and hot-removable field-replaceable units (FRUs). Each EX8216 switch
chassis can hold up to six 2000 W AC, six 3000 W AC, or six 3000 W DC power
supplies.
The 2000 W AC power supplies support both low-line (100120 VAC) and high-line
(200240 VAC) AC power configurations on an EX8216 switch.
Each 3000 W AC power supply delivers 3000 W of power at high line (200240 VAC)
to the EX8216 chassis. Low-line input is not supported for the 3000 W AC power
supplies on the EX8216 switch. Each DC power supply delivers 3000 W of power to
the chassis when the input voltage is in the range 40 VDC through 72 VDC.
The redundant AC configuration ships with six AC power supplies to provide the
capacity to power the system using N+1 or N+N power redundancy. The redundant
DC configuration ships with four DC power supplies. The dual inputs of the DC
supplies provide direct support for N+N power redundancy. The redundant
configuration also provides sufficient capacity for N+1 redundancy in most
configurations; if necessary, up to two additional DC supplies can be added to the
system. See AC Power Supply in an EX8200 Switch, DC Power Supply in an EX8200
Switch, and EX8216 Switch Configurations.
CAUTION: Mixing different types of power supplies in the same chassis is not a
supported configuration.
Related Topics
Field-Replaceable Units in an EX8216 Switch
Slot Numbering for an EX8216 Switch
35
36
Part 2
Complete Software Configuration

Statement Hierarchy
Complete Software Configuration Statement Hierarchy on page 39
37
38
Chapter 2
Complete Software Configuration

Statement Hierarchy
[edit access] Configuration Statement Hierarchy on page 39
[edit chassis] Configuration Statement Hierarchy on page 40
[edit class-of-service] Configuration Statement Hierarchy on page 40
[edit ethernet-switching-options] Configuration Statement Hierarchy on page 42
[edit firewall] Configuration Statement Hierarchy on page 44
[edit forwarding options] Configuration Statement Hierarchy on page 44
[edit interfaces] Configuration Statement Hierarchy on page 45
[edit poe] Configuration Statement Hierarchy on page 46
[edit protocols] Configuration Statement Hierarchy on page 47
[edit snmp] Configuration Statement Hierarchy on page 52
[edit virtual-chassis] Configuration Statement Hierarchy on page 53
[edit vlans] Configuration Statement Hierarchy on page 53
[edit access] Configuration Statement Hierarchy

access {
profileprofile-name {
accounting {
order [ radius | none ];
accounting-stop-on-access-deny;
accounting-stop-on-failure;
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
Related Topics
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch on

page 883
Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 952
39
[edit chassis] Configuration Statement Hierarchy

chassis {
aggregated-devices {
ethernet {
device-count number;
}
}
}
Related Topics
JUNOS Software Hierarchy and RFC Reference at

http://www.juniper.net/techpubs/software/junos/junos90/index.html
[edit class-of-service] Configuration Statement Hierarchy

class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority loss-priority {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
multi-destination {
family {
ethernet {
broadcast forwarding-class-name;
}
inet {
classifiers{
40
Chapter 2: Complete Software Configuration Statement Hierarchy
(dscp | ieee-802.1 | inet-precedence) classifier-name;

}
}
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
loss-priority loss-priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
shaping-rate (rate | percent percentage);
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics
Example: Configuring CoS on EX Series Switches on page 1373
Defining CoS Code-Point Aliases (CLI Procedure) on page 1394 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1392
Defining CoS Classifiers (CLI Procedure) on page 1394 or Defining CoS Classifiers
(J-Web Procedure) on page 1396
Defining CoS Forwarding Classes (CLI Procedure) on page 1398 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1398
Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1403
Defining CoS Schedulers (CLI Procedure) on page 1400 or Defining CoS Schedulers
Defining CoS Rewrite Rules (CLI Procedure) on page 1404 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1405
Assigning CoS Components to Interfaces (CLI Procedure) on page 1407 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1407
Understanding CoS Classifiers on page 1359
41
[edit ethernet-switching-options] Configuration Statement Hierarchy

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
}
output {
interface interface-name;
}
}
}
bpdu-block {
disable-timeout timeout;
interface (all | [interface-name]);
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100]) ;
}
interfaces interface-name {
no-mac-learning;
}
mac-table-aging-time seconds;
port-error-disable {
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
dhcp-snooping-file {
location local_pathname | remote_URL;
timeout seconds;
write-interval seconds;
}
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
no-allowed-mac-log;
static-ip ip-address {
42
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
dhcp-option82 {
circuit-id {
prefix hostname;
use-interface-description;
use-vlan-id;
}
remote-id {
prefix hostname | mac | none;
use-string string;
}
vendor-id [string];
}
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
bandwidth bandwidth;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
unknown-unicast-forwarding {
}
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics
Port Mirroring on EX Series Switches Overview on page 1595
Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches
on page 574
43
Understanding Redundant Trunk Links on EX Series Switches on page 473
Understanding 802.1X and VoIP on EX Series Switches on page 879
Understanding Q-in-Q Tunneling on EX Series Switches on page 477
Understanding Unknown Unicast Forwarding on EX Series Switches on page 480
[edit firewall] Configuration Statement Hierarchy

firewall {
family family-name {
filter filter-name {
interface-specific;
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
filter-specific;
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
}
Related Topics
Firewall Filter Configuration Statements Supported by JUNOS Software for EX

Series Switches on page 1324
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX
Configuring Firewall Filters (CLI Procedure) on page 1301
Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1310
[edit forwarding options] Configuration Statement Hierarchy

helpers {
bootp {
44
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
interface {
interface-name {
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
}
}
}
}
Related Topics
Example: Setting Up DHCP Option 82 with an EX Series Switch as Relay Agent

Between Clients and a DHCP Server on page 1135
and DHCP Server (CLI Procedure) on page 1160
Understanding DHCP Option 82 for Port Security on EX Series Switches on page

1078
For more information about the [edit forwarding-options] hierarchy and all its
options, see the JUNOS Software Policy Framework Configuration Guide at
[edit interfaces] Configuration Statement Hierarchy

interfaces {
aex {
aggregated-ether-options {
lacp mode {
periodic interval;
}
}
45
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation) ;
}
mtu bytes;
no-gratuitous-arp-request;
( family ccc; |
family ethernet-switching {
filter input filter-name;
filter output filter-name;
native-vlan-id vlan-id;
port-mode mode;
vlan {
members [ ( all | names | vlan-ids) ];
}
}|
family mpls; )
proxy-arp;
vlan-id vlan-id-number;
}
vlan-tagging;
}
}
Related Topics
Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 383
Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 386
Configuring a Layer 3 Subinterface (CLI Procedure)
EX Series Switches Interfaces Overview on page 339
JUNOS Software Network Interfaces Configuration Guide at

[edit poe] Configuration Statement Hierarchy

poe {
guard-band watts;
disable;
maximum-power watts;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
46
management type;
}
Related Topics
Example: Configuring PoE Interfaces on an EX Series Switch on page 1471

Switch on page 1474
Configuring PoE (CLI Procedure) on page 1479
Configuring PoE (J-Web Procedure) on page 1481
PoE and EX Series Switches Overview on page 1467
[edit protocols] Configuration Statement Hierarchy

protocols {
connections {
remote-interface-switch connection-name {
interface interface-name.unit-number;
transmit-lsp label-switched-path;
receive-lsp label-switched-path;
}
}
dot1x {
authenticator {
authentication-profile-name profile-name;
interface (all | [ interface-names ]) {
disable;
guest-vlan ( vlan-id | vlan-name);
mac-radius <restrict>;
maximum-requests number;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-fail (deny | permit | use-cache | vlan-id | vlan-name);
server-reject-vlan (vlan-id | vlan-name);
server-timeout seconds;
supplicant (multiple | single | single-secure);
supplicant-timeout seconds;
transmit-period seconds;
}
static mac-address {
vlan-assignment (vlan-id |vlan-name);
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
47
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number) {
data-forwarding {
source {
groups group-prefix;
}
receiver {
source-vlans vlan-list;
install ;
}
}
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
group-limit limit;
multicast-router-interface;
static {
group ip-address;
}
}
proxy ;
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
disable;
location {
48
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
interface ( all | interface-name );
label-switched-path lsp-name to remote-provider-edge-switch;
path destination {
<address | hostname> <strict | loose>
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
49
}
oam {
ethernet{
link-fault-management {
action-profile profile-name;
action {
syslog;
link-down;
}
event {
link-adjacency-loss;
link-event-rate;
frame-error count;
frame-period count;
frame-period-summary count;
symbol-period count;
}
link-discovery (active | passive);
pdu-interval interval;
event-thresholds threshold-value;
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
negotiation-options {
allow-remote-loopback;
no-allow-link-events;
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
50

no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
udp-port port-number;
}
disable;
disable;
polling-interval seconds;
sample-rate number;
}
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
block;
alarm;
}
51
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
Related Topics
Example: Configure Automatic VLAN Administration Using GVRP on page 508
Understanding MAC RADIUS Authentication on EX Series Switches on page 872

Switches on page 873
IGMP Snooping on EX Series Switches Overview on page 795
Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches on page

877
Understanding MSTP for EX Series Switches on page 573
Understanding RSTP for EX Series Switches on page 572
Understanding STP for EX Series Switches on page 571
Understanding How to Use sFlow Technology for Network Monitoring on an EX

Series Switch on page 1635
Understanding VSTP for EX Series Switches on page 574
Understanding Ethernet OAM Link Fault Management for an EX Series Switch

on page 1661
[edit snmp] Configuration Statement Hierarchy

snmp {
rmon {
history index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
}
Related Topics
52
Configuring SNMP (J-Web Procedure) on page 777
JUNOS Software Network Management Configuration Guide at

[edit virtual-chassis] Configuration Statement Hierarchy

virtual-chassis {
fast-failover (ge | vcp disable | xe);
id id;
mac-persistence-timer seconds;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
no-split-detection;
preprovisioned;
traceoptions {
<match regex>;
flag flag ;
}
}
Related Topics

Wiring Closet on page 203

Closets on page 219

File on page 239
Configuring a Virtual Chassis (CLI Procedure) on page 265
Configuring a Virtual Chassis (J-Web Procedure) on page 268
[edit vlans] Configuration Statement Hierarchy

vlans {
vlan-name {
description text-description;
dot1q-tunneling {
customer-vlans (id | range)
}
mapping (policy | tag push | native push);
}
l3-interface vlan.logical-interface-number;
mac-limit number;
53
no-local-switching;
no-mac-learning;
primary-vlan vlan-name;
vlan-id number;
vlan-range vlan-id-low-vlan-id-high;
}
}
Related Topics
54
Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch on page
483
Example: Setting Up Bridging with Multiple VLANs for EX Series Switches on

page 490
Example: Connecting an Access Switch to a Distribution Switch on page 498
Example: Setting Up Q-in-Q Tunneling on EX Series Switches on page 530
Creating a Private VLAN (CLI Procedure) on page 550
Part 3
JUNOS Command-Line Interface on page 57
J-Web Graphical User Interface on page 61
55
56
Chapter 3
JUNOS Command-Line Interface
CLI User Interface Overview on page 57
CLI User Interface Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage a Juniper
Networks EX Series Ethernet Switch: the J-Web graphical user interface and the
JUNOS command-line interface (CLI). Both of these user interfaces are shipped with
the switch. This topic describes the CLI. For information about the J-Web user
interface, see J-Web User Interface for EX Series Switches Overview on page 61.
CLI Overview on page 57
CLI Help and Command Completion on page 57
CLI Command Modes on page 58
CLI Overview
JUNOS CLI is a Juniper Networks specific command shell that runs on top of a
UNIX-based operating system kernel. The CLI provides command help and command
completion.
The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard
sequences that allow you to move around on a command line and scroll through
recently executed commands, regular expression matching to locate and replace
values and identifiers in a configuration, filter command output, or log file entries,
store and archive router files on a UNIX-based file system, and exit from the CLI
environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage switch processes, and so on.
CLI Help and Command Completion

To access CLI Help, type a question mark (?) at any level of the hierarchy. The system
displays a list of the available commands or statements and a short description of
each.
To complete a command, statement, or option that you have partially typed, press
the Tab key or the Spacebar. If the partially typed letters uniquely identify a command,
the complete command name appears. Otherwise, a beep indicates that you have
entered an ambiguous command and the possible completions are displayed. This
57
completion feature also applies to other strings, such as filenames, interface names,
usernames, and configuration statements.
CLI Command Modes

The CLI has two modes, operational mode and configuration mode.
In operational mode, you enter commands to monitor and troubleshoot switch
hardware and software and network connectivity. Operational mode is indicated by
the > promptfor example, user@switch>.
In configuration mode, you can define all properties of the Juniper Networks JUNOS
Software, including interfaces, VLANs, Virtual Chassis information, routing protocols,
user access, and several system hardware properties.
To enter configuration mode, enter the configure command: .
user@switch> configure
Configuration mode is indicated by the # prompt, and includes the current location
in the configuration hierarchyfor example:
[edit interfaces ge-0/0/12]
user@switch#
In configuration mode, you are actually viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the current operating configuration,
called the active configuration. When you commit the changes you added to the
candidate configuration, the system updates the active configuration. Candidate
configurations enable you to alter your configuration without causing potential damage
to your current network operations.
To activate your configuration changes, enter the commit command.
To return to operational mode, go to the top of the configuration hierarchy and then
quitfor example:
user@switch# top
[edit]
user@switch# exit
You can also activate your configuration changes and exit configuration mode with
a single command, commit and-quit. This command succeeds only if there are no
mistakes or syntax errors in the configuration.
TIP: When you commit the candidate configuration, you can require an explicit
confirmation for the commit to become permanent by using the commit confirmed
command. This is useful for verifying that a configuration change works correctly
and does not prevent management access to the switch. After you issue the commit
confirmed command, you must issue another commit command within the defined
58
Chapter 3: JUNOS Command-Line Interface
period of time (10 minutes by default) or the system reverts to the previous
configuration.
Related Topics
JUNOS Software CLI User Guide at http://www.juniper.net/techpubs/software/junos.
59
60
Chapter 4
J-Web User Interface for EX Series Switches Overview on page 61
Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 63
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration
Text on page 63
Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 65
Using the CLI Terminal on page 66
Understanding J-Web Configuration Tools on page 66
Starting the J-Web Interface on page 68
Dashboard for EX Series Switches on page 68
Understanding J-Web User Interface Sessions on page 76
J-Web User Interface for EX Series Switches Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage a Juniper
Networks EX Series Ethernet Switch: the J-Web graphical user interface and the
JUNOS command-line interface (CLI). Both of these user interfaces are shipped with
the switch. This topic describes the J-Web interface. You can navigate the J-Web
interface, scroll pages, and expand and collapse elements as you do in a typical Web
browser interface. For information about the CLI user interface, see CLI User Interface
Use Internet Explorer version 6.0 and higher, or Firefox version 2.0 and higher, to
access the J-Web interface.
NOTE: The browser and the network must support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.
Top paneDisplays system identity information and links.
Main paneLocation where you monitor, configure, diagnose (troubleshoot),

and manage (maintain) the switch by entering information in text boxes, making
selections, and clicking buttons.
61
Side paneDisplays suboptions of the Monitor, Configure, Troubleshoot, or

Maintain task currently displayed in the main pane. Click a suboption to access
it in the main pane.
The layout of the panes allows you to quickly navigate through the interface. Table
7 on page 62 summarizes the elements of the J-Web interface.
The J-Web interface provides CLI tools that allow you to perform all of the tasks that
you can perform from the JUNOS command-line interface (CLI), including a CLI
Viewer to view the current configuration, a CLI Editor for viewing and modifying the
configuration, and a Point & Click CLI editor that allows you to click through all of
the available CLI statements.
Table 7: J-Web Interface
J-Web Interface Element
Description
Top Pane
hostname
Hostname of the switch.
Logged in as: username
Username you used to log in to the switch.
Help
Link to context-sensitive help information.
About
Displays information about the J-Web interface, such as the version number.
Logout
Ends your current login session with the switch and returns you to the login page.
Taskbar
Menu of J-Web main options. Click the tab to access the option.
DashboardDisplays a high-level, graphical view of the chassis and status of

the switch. It displays system health information, alarms, and system status.
ConfigureConfigure the switch, and view configuration history.
MonitorView information about configuration and hardware on the switch.
MaintainManage files and licenses, upgrade software, and reboot the switch.
TroubleshootRun diagnostic tools to troubleshoot network issues.
Main Pane
Help (?) icon
Displays useful informationsuch as the definition, format, and valid range of an

optionwhen you move the cursor over the question mark.
Red asterisk (*)
Indicates a required field.
Icon legend
(Applies to the Point & Click CLI editor only) Explains icons that appear in the user
interface to provide information about configuration statements:
CComment. Move your cursor over the icon to view a comment about the
configuration statement.
IInactive. The configuration statement does not affect the switch.
MModified. The configuration statement has been added or modified.
*Mandatory. The configuration statement must have a value.
Task Pane
62
Chapter 4: J-Web Graphical User Interface
Table 7: J-Web Interface (continued)

J-Web Interface Element
Description
Configuration hierarchy
(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switch configuration.
Related Topics
Click Expand all to display the entire hierarchy.
Click Hide all to display only the statements at the top level.
Click plus signs (+) to expand individual items.
Click minus signs (-) to hide individual items.
Using the CLI Viewer in the J-Web Interface to View Configuration Text
To view the entire configuration file contents in text format, select Configure>CLI
Tools >CLI Viewer. The main pane displays the configuration in text format.
Each level in the hierarchy is indented to indicate each statement's relative position
in the hierarchy. Each level is generally set off with braces, with an open brace ({)
at the beginning of each hierarchy level and a closing brace (}) at the end. If the
statement at a hierarchy level is empty, the braces are not displayed. Each leaf
statement ends with a semicolon (;), as does the last statement in the hierarchy.
This indented representation is used when the configuration is displayed or saved
as an ASCII file. However, when you load an ASCII configuration file, the format of
the file is not so strict. The braces and semicolons are required, but the indention
and use of new lines are not required in ASCII configuration files.
Related Topics
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
To edit the configuration on a series of pages of clickable options that steps you
through the hierarchy, select Configure>CLI Tools>Point&Click CLI. The side pane
displays the top level of the configured hierarchy, and the main pane displays
configured hierarchy options and the Icon Legend.
To expand or hide the hierarchy of all the statements in the side pane, click Expand
all or Hide all. To expand or hide an individual statement in the hierarchy, click the
expand (+) or collapse () icon to the left of the statement.
Using the CLI Viewer in the J-Web Interface to View Configuration Text
63
TIP: Only those statements included in the committed configuration are displayed
in the hierarchy.
The configuration information in the main pane consists of configuration options
that correspond to configuration statements. Configuration options that contain
subordinate statements are identified by the term Nested.
To include, edit, or delete statements in the candidate configuration, click one of the
links described in Table 8 on page 64. Then specify configuration information by
typing in a field, selecting a value from a list, or clicking a check box (toggle).
Table 8: J-Web Edit Point & Click Configuration Links
Link
Function
Add new entry
Displays fields and lists for a statement identifier, allowing you to add a new identifier to a
statement.
Configure
Displays information for a configuration option that has not been configured, allowing you to
include a statement.
Delete
Deletes the corresponding statement or identifier from the configuration. All subordinate statements
and identifiers contained within a deleted statement are also discarded.
Edit
Displays information for a configuration option that has already been configured, allowing you to
edit a statement.
Identifier
Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.
As you navigate through the configuration, the hierarchy level is displayed at the top
of the main pane. You can click a statement or identifier in the hierarchy to display
the corresponding configuration options in the main pane.
The main pane includes icons that display information about statements and
identifiers when you place your cursor over them. Table 9 on page 64 describes
these icons.
Table 9: J-Web Edit Point & Click Configuration Icons
Icon
Function
Displays a comment about a statement.
Indicates that a statement is inactive.
Indicates that a statement has been added or modified but has not been committed.
Indicates that the statement or identifier is required in the configuration.
Provides online help information.
64
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
After typing or selecting your configuration edits, click a button in the main pane
(described in Table 10 on page 65) to apply your changes or cancel them, refresh
the display, or discard parts of the candidate configuration. An updated configuration
does not take effect until you commit it.
Table 10: J-Web Edit Point & Click Configuration Buttons
Button
Function
Refresh
Updates the display with any changes to the configuration made by other users.
Commit
Verifies edits and applies them to the current configuration file running on the switch.
Discard
Removes edits applied to or deletes existing statements or identifiers from the candidate
configuration.
Related Topics
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
Use the CLI Editor to edit configuration if you know the JUNOS CLI or prefer a
command interface.
To edit the entire configuration in text format:
CAUTION: We recommend that you use this method to edit and commit the
configuration only if you have experience editing configurations through the CLI.
1.
Select Configure>CLI Tools>CLI Editor. The main pane displays the configuration
in a text editor.
2.
Navigate to the hierarchy level you want to edit.

You can edit the candidate configuration using standard text editor
operationsinsert lines (by using the Enter key), delete lines, and modify, copy,
and paste text.
3.
Click Commit to load and commit the configuration.

The switching platform checks the configuration for the correct syntax before
committing it.
Related Topics
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
65
Using the CLI Terminal

The J-Web CLI terminal provides access to the JUNOS command line interface (CLI)
through the J-Web interface. The functionality and behavior of the CLI available
through the CLI terminal page is the same as that of the JUNOS CLI available through
the switch console. The CLI terminal supports all CLI commands and other features
such as CLI help and autocompletion. Using the CLI terminal page you can fully
configure, monitor, and manage the switch.
Before you can use the CLI terminal, you must configure the domain name and
hostname of the switch. See Configuring System Identity for the EX Series Switch
(J-Web Procedure) for more information.
To access the CLI through the J-Web interface, your management device requires
the following features:
SSH accessEnable Secure shell (SSH) on your system. SSH provides a

secured method of logging in to the switch, to encrypt traffic so that it is not
intercepted. If SSH is not enabled on the system, the CLI terminal page
displays an error.
Java applet supportMake sure that your Web browser supports Java applets.
JRE installed on the clientInstall Java Runtime Environment (JRE) version

1.4 or later on your system. JRE is a software package that must be installed
on a system to run Java applications. Download the latest JRE version from
the Java Software website http://www.java.com/. Installing JRE installs Java
plug-ins, which once installed, load automatically and transparently to render
Java applets.
NOTE: The CLI terminal is supported on JRE version 1.4 and later only.
To access the CLI terminal, select Troubleshoot >CLI Terminal.
Related Topics
Understanding J-Web Configuration Tools

The J-Web graphical user interface (GUI) allows you to monitor, configure,
troubleshoot, and manage the switching platform by means of a Web browser with
Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer (HTTPS)
enabled. The J-Web interface provides access to all the configuration statements
supported by the switch, so you can fully configure the switch without using the CLI.
The J-Web interface provides three methods of configuring the switch:
66
Configure menu
Point & Click CLI Editor
Using the CLI Terminal
CLI Editor
Table 11 on page 67 gives a comparison of the three methods of configuration.

Table 11: Switching Platform Configuration Interfaces
Tool
Description
Function
Use
Configure
menu
Web browser pages for setting up the switch

quickly and easily without configuring each
statement individually.
Configure basic switch platform

services:
Use for basic

configuration.
Interfaces
For example, use the Virtual Chassis Configuration

page to configure the Virtual Chassis parameters
on the switch.
Switching
Virtual Chassis
Security
Services
System Properties
Routing
Point &
Click CLI
editor
Web browser pages divided into panes in which

you can do any of the following:
Expand the entire configuration hierarchy and
click a configuration statement to view or edit.
The main pane displays all the options for the
statement, with a text box for each option.
System parameters
User Accounting and Access
Interfaces
Paste a complete configuration hierarchy into

a scrollable text box, or edit individual lines.
VLAN properties
Virtual Chassis properties
Upload or download a complete configuration.
Secure Access
Roll back to a previous configuration.
Services
Create or delete a rescue configuration.
Routing protocols
CLI editor
Configure all switching platform

services:
Interface in which you do any of the following:
Type commands on a line and press Enter to

create a hierarchy of configuration statements.
Create an ASCII text file that contains the
statement hierarchy.
Upload a complete configuration, or roll back
to a previous configuration.
Create or delete a rescue configuration.
Related Topics
Configure all switching platform

services:
System parameters
User Accounting and Access
Interfaces
VLAN properties
Virtual Chassis properties
Secure Access
Services
Routing protocols
Use for complete

configuration if you
are not familiar with
the JUNOS CLI or
prefer a graphical
interface.
Use for complete

configuration if you
know the JUNOS CLI
or prefer a command
interface.
Configuration Files Terms on page 104
Understanding J-Web Configuration Tools
67
Starting the J-Web Interface

You can use the J-Web graphical interface to configure and manage the EX Series
switch.
To start the J-Web interface:
1.
Launch your HTTP-enabled or HTTPS-enabled Web browser.

To use HTTPS, you must have installed a certificate on the switch and enabled
HTTPS.
2.
After http:// or https:// in your Web browser, type the hostname or IP address
of the switch and press Enter.
The J-Web login page appears.
3.
On the login page, type your username and password, and click Log In.
To correct or change the username or password you typed, click Reset, type the
new entry or entries, and click Log In.
NOTE: The default username is root with no password. You must change this during
initial configuration or the system does not accept the configuration.
The Chassis Dashboard information page appears.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics
Understanding How to Use the J-Web Interface to View System Information
Dashboard for EX Series Switches

When you log in to the J-Web user interface, the dashboard for the EX Series switch
appears. Use the dashboard to view system information.
The dashboard comprises four panels and a graphical chassis viewer. You can click
Preferences to choose which panels are to be displayed and set the refresh interval
for chassis viewer information. Click OK to save your preference changes and return
to the dashboard or click Cancel to return to the dashboard without saving changes.
NOTE: You can drag and drop the various panels to different locations in the J-Web
window.
68
Starting the J-Web Interface
This topic describes:
System Information Panel on page 69
Health Status Panel on page 69
Capacity Utilization Panel on page 70
Alarms Panel on page 70
Chassis Viewer on page 72
System Information Panel

Table 12: System Information Panel
Field
Description
System name
Indicates the local name of the EX Series switch.
Device model
Indicates the model of the EX Series switch chassis.

NOTE: For an EX8208 switch chassis or an EX8216 switch chassis, the Device model information
changes with respect to the selected line card, Switch Fabric and Routing Engine (SRE) module in
EX8208 switch, or Routing Engine (RE) module in EX8216 switch.
Inventory details
Indicates the following:
For EX3200 switches and for EX4200 switches not configured as Virtual Chassis, the value
in Inventory is always 1 FPC. FPC is a legacy term for a slot in a large Juniper Networks chassis;
here, it simply refers to the single switch.
For an EX4200 switch configured as a Virtual Chassis, the value in Inventory is displayed as
110 FPC, with the number corresponding to the number of member switches.
For an EX8208 switch, the values in Inventory are displayed as 13 CB and 08 FPC. Control
board (CB) refers to SRE and SF modules.
For an EX8216 switch, the values in Inventory are displayed as 1-2 CB and 0-16 FPC. Control
board (CB) refers to RE and SF modules. FPC refers to line cards.
JUNOS image
Indicates the version of the JUNOS image.
Boot image
Indicates the version of the boot image that is used.
Device uptime
Indicates the time since the last reboot.
Last configured time
Indicates the time when the switch was last configured.
Health Status Panel

Table 13: Health Status
Field
Description
EX3200 and EX4200 Switches

Memory util.
Indicates the memory used in the Routing Engine. In a Virtual Chassis configuration, the
memory utilization value of the master Routing Engine is displayed.
69
Table 13: Health Status (continued)

Field
Description
Flash
Indicates the usage and capacity of internal flash memory and any external USB flash drive.
Temperature
Indicates the chassis temperature status. The possible values are OK, High, and Shutdown.
CPU load
Indicates the CPU usage on the switch.
Fan Status
Indicates the fan status of the switch. The possible values are OK, Failed, and Absent.
EX8208 Switches
Memory util.
Indicates the memory used in the Routing Engine. If there are two Routing Engine, the
memory utilization value of the master is displayed.
CPU load
Flash
EX8216 Switches
Memory util.
Indicates the memory used in the Routing Engine. If there are two Routing Engines present,
the memory utilization value of the master is displayed.
CPU load
Flash
Capacity Utilization Panel

Table 14: Capacity Utilization
Field
Description
Number of active ports
Indicates the number of active ports in the switch.
Total number of ports
Indicates the number of ports in the switch.
Used-up MAC-Table entries
Indicates the number of MAC-Table entries.
Supported MAC-Table entries
Indicates the maximum number of MAC-Table entries permitted.
Number of VLANs configured
Indicates the number of configured VLANs.
Number of VLANs supported
Indicates the maximum number of VLANs that are supported.
Alarms Panel
Displays information about the last five alarms raised in the system. For example,
if there are 5 major alarms, then details for all 5 major alarms are displayed. If there
are 4 major alarms and 3 minor alarms, then details of the 4 major alarms and 1
70
minor alarm are displayed. Major alarms are displayed in red and minor alarms are
displayed in yellow.
71
Chassis Viewer
You can click the Rear View button to see the back of the chassis image. Click Front
View to see the front of the image. In a Virtual Chassis configuration, the Rear View
button is disabled if the switch is not selected.
Table 15 on page 72 Describes the chassis viewer for EX3200 and EX4200
switches.
Table 16 on page 73 Describes the chassis viewer for EX8208 switch.
Table 17 on page 74 Describes the chassis viewer for EX8216 switch.
Table 15: Chassis Viewer for EX3200 and EX4200 Switches

Field
Description
Front View
Interface status
In the image, the colors listed below denote the interface status:
GreenInterface is up and operational.
YellowInterface is up but is nonoperational.
GrayInterface is down and nonoperational.
Hover the mouse pointer over the interface to view more information.
For a Virtual Chassis configuration, select the switch to view the interface status.
If an SFP+ uplink module is installed in the switch, hover the mouse pointer over the port icon
to display whether the module is configured to operate in 1G mode or 10G mode. If the module
is configured to operate in 1G mode, the tool tip information is displayed for all the 4 ports. If the
module is configured to operate in 10G mode, the tool tip information is displayed only for 2 ports.
For SFP, SFP+, and XFP ports, the interfaces appear dimmed if no transceiver is inserted. The
chassis viewer displays Transceiver not plugged-in when you hover the mouse pointer over the
port icon.
LCD panel
LCD panel configured for the LEDs on the ports. Hover the mouse pointer over the icon to view
the current character display.
Rear View of the EX3200 Switch
Management port
The management port is used to connect the switch to a management device for out-of-band
management.
Console port
The console port is used to connect the switch to a management console or to a console server.
(You might do this for initial switch configuration.)
USB port
Indicates the USB port for the switch.

NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX
Series switch.
Fan tray
72
Hover the mouse pointer over the fan tray icon to display Name, Status, and Description
information.
Table 15: Chassis Viewer for EX3200 and EX4200 Switches (continued)
Field
Description
Power supply
Hover the mouse pointer over the power supply icon to display Name, Status, and Description
information.
Rear View of the EX4200 Switch
Fan tray
Hover the mouse pointer over the fan tray icon to display Name, Status, and Description
information. For a Virtual Chassis, the status of the fans of the selected member switch is displayed.
Virtual Chassis port
Displayed only when switches are configured as a Virtual Chassis. The colors listed below denote
the Virtual Chassis port (VCP) status:
USB port
GreenVCP is up and operational.
YellowVCP is up but is nonoperational.
GrayVCP is down and nonoperational.
Indicates the USB port for the switch.

Series switch.
Management port
The management port is used to connect the switch to a management device for out-of-band
management.
Console port
The console port is used to connect the switch to a management console or to a console server.
(You might do this for initial switch configuration.)
Power supplies
Hover the mouse pointer over the power supply icons to display Name, Status, and Description
information.
Table 16: Chassis Viewer for EX8208 Switches

Field
Description
Front View
73
Table 16: Chassis Viewer for EX8208 Switches (continued)

Field
Description
Interface status
In the image, click any line card, SRE module, or SF module to view the front view of the selected
component. The colors listed below denote the interface status:
Hover the mouse pointer over the port to view more information.
You can view status for the following ports on the SRE module:
USB portIndicates the USB port for the switch.
NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX Series
switch.
Auxiliary portThis port is not enabled on the switch. It is reserved for future use.
Management portThe management port is used to connect the switch to a management device
for out-of-band management.
Console portThe console port is used to connect the switch to a management console or to a
console server. (You might do this for initial switch configuration.)
Because the SF module has no ports, no status information is displayed.

Slot numbers
Slots on the switch are labeled, from the top of the switch down:
03 (line cards)
SRE0, SF, SRE1 (SRE and SF modules)
47 (line cards)
Temperature
The active slots contain a gray temperature icon. Hover the mouse pointer over the icon to display
temperature information for the slot.
Fan status
Hover the mouse pointer over the fan tray icon to display Name, Status, and Description information.
Power supplies
information.
LCD panel
LCD panel configured for the LEDs on the ports. Hover the mouse pointer over the icon to view the
current character display.
Rear View
The EX8208 switch does not have any components on the rear of the chassis.
Table 17: Chassis Viewer for EX8216 Switches

Field
Description
Front View
74
Table 17: Chassis Viewer for EX8216 Switches (continued)

Field
Description
Interface status
In the image, click any line card or RE module to view the front view of the selected component.
The colors listed below denote the interface status:
Hover the mouse pointer over the port to view more information.
You can view status for the following ports on the RE module:
USB portIndicates the USB port for the switch.
Series switch.
Auxiliary portThis port is not enabled on the switch. It is reserved for future use.
Management portThe management port is used to connect the switch to a management

device for out-of-band management.
Console portThe console port is used to connect the switch to a management console or to
a console server. (You might do this for initial switch configuration.)
Because the SF module has no ports, no status information is displayed.

Slot numbers
Slots on the switch are labeled, from the top of the switch down:
RE0 (RE module)
RE1 (RE module)
015 (line cards)
Temperature
The active slots contain a gray temperature icon. Hover the mouse pointer over the icon to display
temperature information for the slot.
Fan status
Hover the mouse pointer over the fan tray icon to display consolidated fan information.
Power supplies
information.
LCD panel
LCD panel configured for the LEDs on the ports. Hover the mouse pointer over the icon to view the
current character display.
Rear View
SF Modules
Related Topics
Hover the mouse pointer over the SF module icons in their respective slots to display information.
Slots are numbered SF7SF0, from left to right.
Checking Active Alarms with the J-Web Interface on page 156
75
Understanding J-Web User Interface Sessions

You establish a J-Web session with the switch through an HTTP-enabled or
HTTPS-enabled Web browser. The HTTPS protocol, which uses 128-bit encryption,
is available only in domestic versions of the Juniper Networks JUNOS Software. To
use HTTPS, you must have installed a certificate on the switch and enabled HTTPS.
See Generating SSL Certificates to Be Used for Secure Web Access on page 136.
When you attempt to log in through the J-Web interface, the switch authenticates
your username with the same methods used for Telnet and SSH.
If the switch does not detect any activity through the J-Web interface for 15 minutes,
the session times out and is terminated. You must log in again to begin a new session.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics
76
Configuring Management Access for the EX Series Switch (J-Web Procedure) on

page 133
Understanding J-Web User Interface Sessions
Part 4
Initial Configuration, Software

Installation, and Upgrades
Initial Configuration on page 79
Software Installation on page 85
Configuration File Management on page 103
Licenses on page 121
77
78
Chapter 5
Connecting and Configuring an EX Series Switch (CLI Procedure)

There are two ways to connect and configure an EX Series switch: one method is
through the console using the CLI and the other is using the J-Web interface. This
topic describes the CLI procedure.
Before you begin connecting and configuring an EX Series switch through the console
using the CLI, set the following parameter values in the console server or PC:
Baud Rate9600
Flow ControlNone
Data8
ParityNone
Stop Bits1
DCD StateDisregard
To configure the switch from the console:

1.
Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port
adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with
the switch. The console port in EX3200 and EX4200 switches is located on the
rear panel of the switch. The console port in EX8208 switches is located on the
Switch Fabric and Routing Engine (SRE) module in slot SRE0 on the switch
chassis. The console port in EX8216 switches is located on the Routing Engine
(RE) module in slot RE0 on the switch chassis.
NOTE: Ensure that the switch is in factory default mode. The ezsetup script will work
through the shell prompt only if the switch is in factory default mode. You can
transition the switch into factory default mode using the LCD panel. See LCD Panel
in an EX8200 Switch or LCD Panel in EX3200 and EX4200 Switches.
2.
At the JUNOS shell prompt root%, type ezsetup.
79
3.
Enter the hostname. This is optional.
4.
Enter the root password you plan to use for this device. You are prompted to
re-enter the root password.
5.
Enter yes to enable services like Telnet and SSH. By default, Telnet is not enabled
and SSH is enabled.
NOTE: When Telnet is enabled, you will not be able to log in to an EX Series switch
through Telnet using root credentials. Root login is allowed only for SSH access.
6.
Next, select one of the switch management options:
EX3200 or EX4200 switch
Configure in-band management. In this scenario you have the following
two options:
Use the default VLAN.
Create a new VLANIf you select this option, you are prompted to
specify the VLAN name, VLAN ID, management IP address, and
default gateway. Select the ports that must be part of this VLAN.
Configure out-of-band management. Specify the IP address and gateway
of the management interface. Use this IP address to connect to the

switch.
EX8200 switchConfigure out-of-band management. Specify the IP address

and gateway of the management interface. Use this IP address to connect
to the switch.
7.
Specify the SNMP Read Community, Location, and Contact to configure SNMP
parameters. These parameters are optional.
8.
Specify the system date and time. Select the time zone from the list. These
options are optional.
The configured parameters are displayed. Enter yes to commit the configuration.
The configuration is committed as the active configuration for the switch. You can
now log in with the CLI or the J-Web interface to continue configuring the switch. If
you use the J-Web interface to continue configuring the switch, the Web session is
redirected to the new management IP address. If the connection cannot be made,
the J-Web interface displays instructions for starting a J-Web session.
Related Topics
80
Installing and Connecting an EX3200 or EX4200 Switch
Installing and Connecting an EX8208 Switch
Chapter 5: Initial Configuration
Connecting and Configuring an EX Series Switch (J-Web Procedure)

There are two ways to connect and configure an EX Series switch: one method is
through the console using the CLI and the other is using the J-Web interface. This
topic describes the J-Web procedure.
To connect and configure an EX Series switch using the J-Web interface:
1.
Connect the Ethernet cable from the Ethernet port on the PC to the switch.
EX3200 or EX4200 switchConnect the cable to port 0 (ge-0/0/0) on the

front panel of the switch. The ge-0/0/0 interface is configured as the DHCP
server with the default IP address, 192.168.1.1.
EX8208 switchConnect the cable to the port labeled MGMT on the Switch
Fabric and Routing Engine (SRE) module in slot SRE0 on the switch chassis.
The MGMT port on the SRE module in slot SRE0 is configured as the DHCP
server with the default IP address, 192.168.1.1.
EX8216 switchConnect the cable to the port labeled MGMT on the Routing
Engine (RE) module in slot RE0 on the switch chassis. The MGMT port on
the RE module in slot RE0 is configured as the DHCP server with the default
IP address, 192.168.1.1.
The switch can assign an IP address to the management PC in the IP address

range 192.168.1.2 through 192.168.1.253.
2.
Transition the switch into initial setup mode using the Menu and Enter buttons
located to the right of the LCD panel (see Figure 6 on page 81).
Figure 6: LCD Panel in EX Series Switches
To transition the switch into initial setup mode:
Press Menu until you see MAINTENANCE MENU. Then press Enter.
Press Menu until you see ENTER EZSetup. Then press Enter.
If EZSetup does not appear as an option in the Maintenance menu, select
Factory Default to return the switch to the factory default configuration.
EZSetup is displayed in the menu only when the switch is set to the factory
default configuration.
81
Press Enter to confirm setup and continue with EZSetup.
If you have configured a static IP address on your PC, you will not be able to
connect to the switch. To obtain an IP address dynamically, you must enable a
DHCP client on the management PC you connect to the switch.
NOTE: You must complete the initial configuration using the J-Web interface within
10 minutes. The LCD displays a count-down timer once you connect the switch to
the management PC. The switch exits the EZSetup mode after 10 minutes and reverts
to the default factory configuration, and the PC loses connectivity to the switch.
3.
From the PC, open a Web browser, type http://192.168.1.1 in the address field,
and press Enter.
4.
On the J-Web login page, type root as the username, leave the password field
blank, and click Login.
5.
On the Introduction page, click Next.
6.
On the Basic Settings page, modify the hostname, the root password, and date
and time settings:
Enter the hostname. This is optional.
Enter a password and reenter the password.
Specify the time zone.
Synchronize the date and time settings of the switch with the management
PC or set them manually by selecting the appropriate option button. This is
optional.
Click Next.
7.
Use the Management Options page to select the management scenario:
EX3200 or EX4200 switch
In-band ManagementUse VLAN 'default' for management.

Select this option to configure all data interfaces as members of the
default VLAN. Click Next. Specify the management IP address and the
default gateway for the default VLAN.
In-band ManagementCreate new VLAN for management.

Select this option to create a management VLAN. Click Next. Specify
the VLAN name, VLAN ID, member interfaces, management IP address,
and default gateway for the new VLAN.
Out-of-band ManagementConfigure management port.

Select this option to configure only the management interface. Click
Next. Specify the IP address and default gateway for the management
interface.
82
Chapter 5: Initial Configuration
EX8200 switchOut-of-band Management-Configure management port.

Select this option to configure only the management interface. Click Next.
Specify the IP address and default gateway for the management interface.
8.
Click Next.
9.
On the Manage Access page, you may select options to enable Telnet, SSH, and
SNMP services. For SNMP, you can configure the read community, location, and
contact.
10. Click Next. The Summary screen displays the configured settings.
11. Click Finish.
The configuration is committed as the active switch configuration. You can now log
in with the CLI or the J-Web interface to continue configuring the switch.
If you use the J-Web interface to continue configuring the switch, the Web session
is redirected to the new management IP address. If the connection cannot be made,
the J-Web interface displays instructions for starting a J-Web session.
NOTE: After the configuration takes effect, you might lose connectivity between the
PC and the switch. To renew the connection, release and renew the IP address by
executing the appropriate commands on the management PC or by removing and
reinserting the Ethernet cable.
Related Topics
Installing and Connecting an EX3200 or EX4200 Switch
Installing and Connecting an EX8208 Switch
LCD Panel in EX3200 and EX4200 Switches
LCD Panel in an EX8200 Switch
83
84
Chapter 6
Software Installation on page 85
Understanding Software Installation on EX Series Switches on page 85
JUNOS Software Package Names on page 87
Downloading Software Packages from Juniper Networks on page 88
Installing Software on an EX Series Switch with a Single Routing Engine (CLI

Procedure) on page 89
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI

Installing Software on EX Series Switches (J-Web Procedure) on page 94
Booting an EX Series Switch Using a Software Package Stored on a USB Flash

Drive on page 97
Troubleshooting Software Installation on page 98
Upgrading Software Using Automatic Software Download on EX Series

Verifying That Automatic Software Download Is Working Correctly on page 101
Understanding Software Installation on EX Series Switches

A Juniper Networks EX Series Ethernet Switch is delivered with Juniper Networks
JUNOS Software preinstalled. As new features and software fixes become available,
you must upgrade your software to use them. You can also downgrade JUNOS
Software to a previous release.
This topic covers:
Overview of the Software Installation Process on page 86
Software Package Security on page 86
Installing Software on a Virtual Chassis on page 86
Installing Software on EX8200 Switches with Redundant Routing

Engines on page 86
85
Installing Software Using Automatic Software Download on page 87
Overview of the Software Installation Process

An EX Series switch is delivered with JUNOS Software preinstalled. When you connect
power to the switch, it starts (boots) up from the installed software.
You upgrade JUNOS Software on an EX Series switch by copying a software package
to your switch or another system on your local network, then use either the J-Web
interface or the CLI to install the new software package on the switch. Finally, you
reboot the switch; it boots from the upgraded software. After a successful upgrade,
you should back up the new current configuration to a secondary device.
During a successful upgrade, the upgrade package removes all files from /var/tmp
and completely reinstalls the existing software. It retains configuration files, and
similar information, such as secure shell and host keys, from the previous version.
The previous software package is preserved in a separate disk partition, and you can
manually revert back to it if necessary. If the software installation fails for any reason,
such as loss of power during the installation process, the system returns to the
originally active installation when you reboot.
Software Package Security

All JUNOS Software is delivered in signed packages that contain digital signatures to
ensure official Juniper Networks software. For more information about signed software
packages, see the JUNOS Software Installation and Upgrade Guide at
Installing Software on a Virtual Chassis

You can connect individual Juniper Networks EX4200 Ethernet Switches together to
form one unit and manage the unit as a single chassis, called a Virtual Chassis. The
Virtual Chassis operates as a single network entity composed of members. Each
member of a Virtual Chassis runs a JUNOS Software package.
For ease of management, the Virtual Chassis provides flexible methods to upgrade
software releases. You can deploy a new software release to all members of a Virtual
Chassis or to only a particular member.
Installing Software on EX8200 Switches with Redundant Routing Engines

To install software on a Juniper Networks EX8200 Ethernet Switch that has two
Routing Engines with minimal network disruption, you perform a JUNOS Software
installation on each Routing Engine separately, starting with the backup. See Installing
Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure)
on page 90.
86
Understanding Software Installation on EX Series Switches
Chapter 6: Software Installation
Installing Software Using Automatic Software Download

The automatic software download feature uses the DHCP message exchange process
to download and install software packages. Users can define a path to a software
package on the DHCP server and then the DHCP server communicates this path to
EX Series switches acting as DHCP clients as part of the DHCP message exchange
process. The DHCP clients that have been configured for automatic software download
receive these messages and, when the software package name in the DHCP server
message is different from that of the software package that booted the DHCP client
switch, download and install the software package. See Upgrading Software Using
Automatic Software Download on EX Series Switches on page 100.
Troubleshooting Software Installation

If the JUNOS Software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use the recovery installation procedure to install
the software on the switch. See Troubleshooting Software Installation on page 98.
NOTE: You can also use this procedure to load two versions of JUNOS Software in
separate partitions on the switch.
Related Topics


JUNOS Software Package Names

You upgrade the Juniper Networks JUNOS Software on a Juniper Networks EX Series
Ethernet Switch by copying a software package to your switch or another system on
your local network, then install the new software package on the switch.
A software package name is in the following format:
package-name-m.nZx.y-domestic-signed.tgz
where:
package-name is the name of the packagefor example, jinstall-ex-4200.
m.n is the software release, with m representing the major release number and
n representing the minor release numberfor example, 9.5.
Z indicates the type of software release, where R indicates released software and
B indicates beta-level software.
JUNOS Software Package Names
87
x.y represents the version of the major software release (x) and an internal
tracking number (y)for example, 1.6.
domestic-signed is appended to all EX Series package names. For most JUNOS

packages, domestic is used for the United States and Canada and export for
worldwide distribution. However, for EX Series software, domestic is used for
worldwide distribution as well.

A sample EX Series software package name is:
jinstall-ex-4200-9.5R1.6-domestic-signed.tgz
Related Topics


Downloading Software Packages from Juniper Networks

You can download the JUNOS Software packages from the Juniper Networks website
to upgrade software on your EX Series switch.
Before you begin to download software upgrades, ensure that you have a Juniper
Networks Web account and a valid support contract. To obtain an account, complete
the registration form at the Juniper Networks website:
https://www.juniper.net/registration/Register.jsp.
To download software upgrades from Juniper Networks:
1.
Using a Web browser, follow the links to the download URL on the Juniper
Networks webpage. For EX Series, there are not separate software packages for
Canada the U.S. and other locations. Therefore, select Canada and U.S. Version
regardless of your location:
Related Topics
88
https://www.juniper.net/support/csc/swdist-domestic/
2.
Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3.
Using the J-Web interface or the CLI, select the appropriate software package for
your application. See JUNOS Software Package Names on page 87.
4.
Download the software to a local host or to an internal software distribution site.

Downloading Software Packages from Juniper Networks
Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)
You can use this procedure to upgrade the JUNOS Software on an EX Series switch
with a single Routing Engine, including an individual member of a Virtual Chassis or
all members of a Virtual Chassis, or an EX8200 switch using a single Routing Engine.
To upgrade software on an EX8200 switch running two Routing Engines, see
Procedure) on page 90.
To install software upgrades on an EX Series switch with a single Routing Engine
using the CLI:
1.
Download the software package as described in Downloading Software Packages

from Juniper Networks on page 88.
2.
(Optional) Back up the current software configuration to a second storage option.

See the JUNOS Software Installation and Upgrade Guide at
http://www.juniper.net/techpubs/software/junos/junos95/index.html for instructions on
performing this task.
3.
(Optional) Copy the software package to the switch. We recommend that you
use FTP to copy the file to the /var/tmp directory.
This step is optional because the JUNOS Software can also be upgraded when
the software image is stored at a remote location. These instructions describe
the software upgrade process for both scenarios.
4.
Install the new package on the switch:
NOTE: A reboot, which will occur as part of the execution of the following command,
is required to complete the software upgrade. If you want to reboot the switch at a
later time, do not use the reboot option at this point of the procedure and enter the
request system reboot command at a later time to reboot the switch.
user@switch> request system software add source reboot
Replace source with one of the following paths:
For a software package that is installed from a local directory on the

switch/pathname/package-name-m.nZx-distribution.tgz.
For a software package that is downloaded and installed from a remote

location:
ftp://hostname/pathname/package-name-m.nZx-distribution.tgz
http://hostname/pathname/package-name-m.nZx-distribution.tgz
where package-name-m.nZx-distribution.tgz is, for example,

jinstall-ex-4200-9.4R1.8-domestic-signed.tgz.
Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)
89
Include the optional member option to install the software package on only one
member of a Virtual Chassis:
user@switch> request system software add source member member-id reboot
Other members of the Virtual Chassis are not affected. To install the software
on all members of the Virtual Chassis, do not include the member option.
5.
After the reboot has completed, log in and verify that the new version of the
software is properly installed:
user@switch> show version
Related Topics
See the JUNOS Software System Basics and Services Command Reference at
http://www.juniper.net/techpubs/software/junos/junos95/index.html for details about
the request system software add command.
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure)
For an EX8200 switch with redundant Routing Engines, you can minimize disrupting
network operation during a JUNOS Software upgrade by upgrading the Routing
Engines separately, starting with the backup Routing Engine.
To upgrade the software package on an EX8200 switch with one installed Routing
Engine, see Installing Software on an EX Series Switch with a Single Routing Engine
(CLI Procedure) on page 89.
Install the new JUNOS Software release on the backup Routing Engine while keeping
the currently running software version on the master Routing Engine. After making
sure that the new software version is running correctly on the backup Routing Engine,
switch device control to the backup Routing Engine. Finally, install the new software
on the new backup Routing Engine.
To upgrade the JUNOS Software on the switch, perform the following tasks:
1. Preparing the Switch for the Software Installation on page 90
2. Installing Software on the Backup Routing Engine on page 92
3. Installing Software on the Default Master Routing Engine on page 93
4. Returning Routing Control to the Default Master Routing Engine
(Optional) on page 94
Preparing the Switch for the Software Installation

Perform the following steps before installing the software:
90
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure)
1.
Log in to the master Routing Engines console.

For information on logging in to the Routing Engine through the console port,
see Connecting and Configuring an EX Series Switch (CLI Procedure) on page
79.
2.
Enter the JUNOS Software CLI configuration mode:

a.
Start the CLI from the shell prompt:

user@switch:RE% cli
You will see:

{master}
user@switch>
b. Enter configuration mode:

You will see:

{master}[[edit]
user@switch#
3.
Disable GRES (graceful Routing Engine switchover):

[edit]
user@switch# deactivate chassis redundancy graceful-switchover
4.
Save the configuration change on both Routing Engines:

[edit]
user@switch# commit synchronize
NOTE: To ensure the most recent configuration changes are committed before the
software upgrade, perform this step even if GRES was previously disabled.
5.
Exit out of the CLI configuration mode:

[edit]
user@switch# exit
6.
(Optional) Back up the current software configuration to a second storage option.

See the JUNOS Software Installation and Upgrade Guide at
http://www.juniper.net/techpubs/software/junos/junos95/index.html for instructions on
performing this task.
Preparing the Switch for the Software Installation
91
Installing Software on the Backup Routing Engine

Once the EX8200 switch is ready, you first install the software on the backup Routing
Engine. This enables the master Routing Engine to continue operations, minimizing
the disruption to your network.
1.
Download the software by following the procedures in Downloading Software

Packages from Juniper Networks on page 88.
2.
Copy the software package to the switch. We recommend that you use FTP to
copy the file to the /var/tmp directory.
3.
Log in to the backup Routing Engines console.
4.
Install the new software package:

user@switch> request system software add validate
/var/tmp/package-name-m.nZx-distribution.tgz
where package-name-m.nZx-distribution.tgz is, for example,

jinstall-ex-82009.5R1.5domestic-signed.tgz.
For more information on the request system software add command, see the
JUNOS Software System Basics and Services Command Reference at
NOTE: To abort the installation, do not reboot your device; instead, finish the
installation and then issue the request system software delete
package-name-m.nZx-distribution.tgz command, where
package-name-m.nZx-distribution.tgz is, for example,
jinstall-ex-42009.4R1.5domestic-signed.tgz. This is your last chance to stop the
installation.
5.
Reboot to start the new software:

user@switch> request system reboot
Reboot the system? [yes, no] (no) yes
NOTE: You must reboot the switch to load the new installation of the JUNOS Software.
6.
After the reboot has completed, log in and verify the new version of the software
is properly installed:
user@switch> show version
92
Installing Software on the Backup Routing Engine
Installing Software on the Default Master Routing Engine

To switch device control to the backup Routing Engine and then upgrade or
downgrade the master Routing Engine software:
1.
Log in to the master Routing Engine console port.
2.
Transfer device control to the backup Routing Engine:

user@switch> request chassis routing-engine master switch
NOTE: Because GRES is disabled, this switchover causes all line cards in the switch
to reload. All network traffic passing through these line cards is lost during the line
card reloads.
3.
Verify that the default backup Routing Engine (shown as slot 1 in the command
output) is now the master Routing Engine:
user@switch> show chassis routing-engine
You will see:

Routing Engine status:
Slot 0:
Current state
Election priority
Slot 1:
Current state
Election priority
4.
Backup
Master (default)
Master
Backup (default)
Install the new software package using the request system software add command:
user@switch> request system software add validate
/var/tmp/jinstall-ex-8200-9.5R1.5-domestic-signed.tgz
5.
Reboot the Routing Engine:

user@switch> request system reboot
Reboot the system? [yes, no] (no) yes
When the reboot completes, the prompt will reappear. Wait for this prompt to
reappear before proceeding to the next step.
6.
Log in to the default backup Routing Engine (slot 1) through the console port.
7.
Re-enable GRES:
[edit]
user@switch# activate chassis redundancy graceful-switchover
Re-enabling GRES allows any future Routing Engine switchovers to occur without
the loss of any network traffic.
8.
Enter the commit synchronize command to save the configuration change:
Installing Software on the Default Master Routing Engine
93
[edit]
user@switch# commit synchronize
9.
Log in and verify the version of the software installed.

If you want to return routing control to the Routing Engine that was the master
Routing Engine at the beginning of the procedure (the default master Routing
Engine), perform the next task.
Returning Routing Control to the Default Master Routing Engine (Optional)

The switch can maintain normal operations with the Routing Engine in slot 1 acting
as the master Routing Engine after the software upgrade, so only perform this task
if you want to return routing control to the default master Routing Engine in slot 0.
1.
Transfer routing control back to the default master Routing Engine:

user@switch> request chassis routing-engine master switch
2.
Verify that the default master Routing Engine (slot 0) is indeed the master Routing
Engine:
user@switch> show chassis routing-engine
You will see:

Slot 0:
Current state
Election priority
Slot 1:
Current state
Election priority
Related Topics
Master
Master (default)
Backup
Backup (default)
Understanding EX8208 Switch Component and Functionality Redundancy
Installing Software on EX Series Switches (J-Web Procedure)

You can upgrade software packages on a single fixed-configuration switch, on an
individual member of a Virtual Chassis, or for all members of a Virtual Chassis.
94
Returning Routing Control to the Default Master Routing Engine (Optional)
You can use the J-Web interface to install software upgrades from a server using FTP
or HTTP, or by copying the file to the EX Series switch.
1. Installing Software Upgrades from a Server on page 95
2. Installing Software Upgrades by Uploading Files on page 95
Installing Software Upgrades from a Server

To install software upgrades from a remote server by using FTP or HTTP:
1.
Download the software package as described in Downloading Software Packages

from Juniper Networks on page 88.
2.
Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3.
In the J-Web interface, select Maintain>Software>Install Package.
4.
On the Install Remote page, enter information into the fields described in Table
18 on page 95.
5.
Click Fetch and Install Package. The software is activated after the switch has
rebooted.
Table 18: Install Remote Summary

Field
Function
Your Action
Package Location
(required)
Specifies the FTP or HTTP server, file path, and

software package name.
Type the full address of the software package

location on the FTP or HTTP serverone of the
following:
ftp://hostname/pathname/package-name
http://hostname/pathname/package-name
User
Specifies the username, if the server requires

one.
Type the username.
Password
Specifies the password, if the server requires

one.
Type the password.
Reboot If Required
If this box is checked, the switching platform is

automatically rebooted when the upgrade is
complete.
Check the box if you want the switching platform

to reboot automatically when the upgrade is
complete.
Installing Software Upgrades by Uploading Files

To install software upgrades by uploading files:
Installing Software Upgrades from a Server
95
1.
Download the software package.
2.
In the J-Web interface, select Maintain>Software>Upload Package.
3.
On the Upload Package page, enter information into the fields described in Table
19 on page 96.
4.
Click Upload Package. The software is activated after the switching platform has
rebooted.
Table 19: Upload Package Summary

Field
Function
Your Action
File to Upload (required)
Specifies the location of the software

package.
Type the location of the software package, or click

Browse to navigate to the location.
Reboot If Required
Specifies that the switching platform is

automatically rebooted when the upgrade is
complete.
Select the check box if you want the switching

platform to reboot automatically when the upgrade
is complete.
Related Topics
96

Installing Software Upgrades by Uploading Files
Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive
You can download a software package onto a USB flash drive from a computer or
any other device that can be used to download a package from the Internet to the
USB flash drive. The USB flash drive storing the JUNOS software package can then
be removed from the computer or other device and placed into the USB port on the
EX Series switch. If an EX Series switch displays the prompt for the loader script,
you can use a JUNOS software package that you have stored on the USB flash drive
to boot the switch.
NOTE: The USB flash drive is not accessible from the CLI prompt on EX Series
switches, and files cannot be copied from any other memory system on the EX Series
switch to the USB flash drive.
To boot an EX Series switch using a software package on the USB flash drive:
NOTE: Ensure that you have the following tools and parts available to boot the switch
from a USB flash drive:
A USB flash drive that meets the EX Series switch USB port specifications. See
USB Port Specifications for an EX Series Switch.
A computer or other device that you can use to download the software package
from the Internet and copy it to the USB flash drive.
1.
Download the JUNOS software package that you would like to place onto the EX
Series switch from the Internet onto the USB flash drive using your computer or
other device. See Downloading Software Packages from Juniper Networks on
page 88.
2.
Remove the USB flash drive from the computer or other device.
3.
Insert the USB flash drive into the USB port on the EX Series switch.
4.
This step can only be performed when the prompt for the loader script is
displayed. For information on accessing this prompt, see Troubleshooting
Software Installation on page 98.
Install the software package onto the switch:
loader> install source
where source represents the name and location of the JUNOS software package
on the USB flash drive. The JUNOS package on a flash drive is commonly stored
in the root drive as the only file; for example,
file:///jinstall-ex-4200-9.4R1.5-domestic-signed.tgz.
The installation proceeds as normal and ends with a login prompt.
Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive
97
Related Topics
See Rear Panel of an EX3200 Switch for USB port location.
See Rear Panel of an EX4200 Switch for USB port location.
See Switch Fabric and Routing Engine (SRE) Module in an EX8208 Switch for
USB port location.
See Routing Engine (RE) Module in an EX8216 Switch for USB port location.

Recovering from a Failed Software Upgrade on an EX Series Switch on page 98
Rebooting from the Inactive Partition on page 99
Recovering from a Failed Software Upgrade on an EX Series Switch

Problem
If the JUNOS Software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use this recovery installation procedure to install
the JUNOS Software.
Solution
If there is already a JUNOS image on the system, you can install the new JUNOS
package in a separate partition and both JUNOS images will remain on the system,
or you can wipe the disk clean before the new installation proceeds.
If there is no JUNOS image on the system, follow the instructions in Booting an EX
Series Switch Using a Software Package Stored on a USB Flash Drive on page 97 to
get an image on the system and boot the switch.
To perform a recovery installation:
1.
Power on the switch. The loader script starts.

After the message Loading /boot/defaults/loader.conf displays, you are prompted
with:
Hit [Enter] to boot immediately, or space bar for command prompt.
2.
Press the space bar to enter the manual loader. The loader> prompt displays.
3.
Enter the following command:

loader> install [ format] [ external] source
where:
formatUse this option to wipe the installation media before installing the
software package. If you do not include this option, the system installs the
new JUNOS Software package in a different partition from that of the most
recently installed JUNOS Software package.
98
externalUse this option to install the software package onto an external
media.
sourceRepresents the name and location of the JUNOS Software package
either on a server on the network or as a file on the USB flash drive:
Network address of the server and the path on the server; for example,
tftp://192.17.1.28/junos/jinstall-ex-4200-9.4R1.5-domestic-signed.tgz
The JUNOS package on a USB device is commonly stored in the root

drive as the only file; for example,
file:///jinstall-ex-4200-9.4R1.5-domestic-signed.tgz
The boot process proceeds as normal and ends with a login prompt.
Rebooting from the Inactive Partition

Problem
An EX Series switch ships with the JUNOS Software loaded on the system disk in
partition 1. The first time you upgrade, the new software package is installed in
partition 2. When you finish the installation and reboot, partition 2 becomes the
active partition. Similarly, subsequent software packages are installed in the inactive
partition which becomes the active partition when you reboot at the end of the
installation process.
If you performed an upgrade and rebooted, the system resets the active partition.
You can use this procedure to manually boot from the inactive partition.
NOTE: If you have completed the installation of the software image but have not yet
rebooted, you can issue the request system software rollback command to return to
the original software installation package.
Solution
Reboot from the inactive partition:

user@switch> request system reboot partition alternate
Rebooting from the Inactive Partition
99
NOTE: If you cannot access the CLI, you can reboot from the inactive partition using
the following procedure from the loader script prompt:
1.
Unload and clear the interrupted boot from the active partition:
loader> unload
loader> unset vfs.root.mountfrom
2.
Select the new (inactive) partition to boot from:

loader> set currdev=diskmediaspartition:
where media is either 0 (internal) or 1 (external) and partition indicates the

partition number, either 1 or 2.
You must include the colon (:) at the end of this command.
3.
Boot the JUNOS Software from the inactive partition:

loader> boot
Related Topics

Upgrading Software Using Automatic Software Download on EX Series Switches

The automatic software download feature uses the DHCP message exchange process
to download and install software packages. You configure the automatic software
download feature on EX Series switches acting as DHCP clients. You must enable
automatic software download on the EX Series switch before the software upgrade
can occur.
You configure a path to a software package file on the DHCP server. The server
communicates the path to the software package file through DHCP server messages.
If you enable automatic software download, the DHCP client EX Series switch
compares the software package name in the DHCP server message to the name of
the software package that booted the switch. If the software packages are different,
the DHCP client EX Series switch downloads and installs the software package
specified in the DHCP server message.
Before you upgrade software using automatic software download, ensure that you
have configured DHCP services for the switch, including configuring a path to a boot
server and a boot file. See the JUNOS Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos96/index.html for information about
using the CLI to configure DHCP services and settings. See Configuring DHCP Services
100
(J-Web Procedure) on page 772 for information about using the J-Web interface to
configure DHCP services and settings.
To enable automatic software download on an EX Series switch acting as a DHCP
client:
[edit chassis]
user@switch# set auto-image-upgrade
Once automatic software download is enabled on your DHCP client EX Series switch
and once DHCP services are enabled on your network, an automatic software
download can occur at any time as part of the DHCP message exchange process.
If an automatic software download occurs, you see the following message on the
switch:
Auto-image upgrade started
On successful installation system will reboot automatically
The switch reboots automatically to complete the upgrade.

Related Topics
Verifying That Automatic Software Download Is Working Correctly on page 101
DHCP Services for EX Series Switches Overview on page 763
Verifying That Automatic Software Download Is Working Correctly

Purpose
Action
Verify that the automatic software download feature is working correctly.

Use the show system services dhcp client interface-name command to verify that the
automatic software download feature has been used to install a software package.
user@switch> show system services dhcp client ge-0/0/1.0
Logical Interface Name
ge-0/0/1.0
Hardware address
00:0a:12:00:12:12
Client Status
bound
Vendor Identifier
ether
Server Address
10.1.1.1
Address obtained
10.1.1.89
Lease Obtained at
2009-08-20 18:13:04 PST
Lease Expires at
2009-08-22 18:13:04 PST
DHCP Options :
Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ]
Name: server-identifier, Value: 10.1.1.1
Name: router, Value: [ 10.1.1.80 ]
Name: boot-image,
Value: jinstall-ex-4200-9.6R1.5-domestic-signed.tgz
Name: boot-image-location,
Value: 10.1.1.25:/bootfiles/
Meaning
The output from this command shows the name and location of the software package
under DHCP options when automatic software download was last used to install a
software package. The sample output in DHCP options shows that the last DHCP
101
server message to arrive on the DHCP client had a boot server address of
192.168.1.165 and a boot file named jinstall-ex-4200-9.6R1.5-domestic-signed.tgz. If
automatic software download was enabled on this client switch during the last DHCP
message exchange, these values were used by the switch to upgrade the software.
Related Topics
102

on page 100
Chapter 7
Understanding Configuration Files for EX Series Switches on page 103
Understanding Autoinstallation of Configuration Files on EX Series

Managing Configuration Files Through the Configuration History (J-Web

Uploading a Configuration File (CLI Procedure) on page 110
Uploading a Configuration File (J-Web Procedure) on page 111
Loading a Previous Configuration File (CLI Procedure) on page 112
Configuring Autoinstallation of Configuration Files (CLI Procedure) on page 113
Verifying Autoinstallation Status on an EX Series Switch on page 114
EX3200 and EX4200 Default Configuration on page 115
EX8200 Switch Default Configuration on page 119
Understanding Configuration Files for EX Series Switches

A configuration file stores the complete configuration of a switch. The current
configuration of a switch is called the active configuration. You can alter this current
configuration and you can also return to a previous configuration or to a rescue
configuration. For more information, see Configuration Files Terms on page 104.
Juniper Networks JUNOS Software saves the 50 most recently committed configuration
files on the switch so that you can return to a previous configuration. The configuration
files are named:
juniper.conf.gzThe current active configuration.
juniper.conf.1.gz to juniper.conf.49.gzRollback configurations.
To make changes to the configuration file, you have to work in the configuration
mode in the CLI or use the configuration tools in the J-Web interface. When making
changes to a configuration file, you are viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the active configuration or causing
potential damage to your current network operations. Once you commit the changes
made to the candidate configuration, the system updates the active configuration.
Understanding Configuration Files for EX Series Switches
103
Related Topics
Managing Configuration Files Through the Configuration History (J-Web Procedure)

on page 107
Reverting to the Rescue Configuration for the EX Series Switch on page 154
Configuration Files Terms

Table 20 on page 104 lists the various configuration file terms used for EX Series
switches and their definitions.
Table 20: Configuration File Terms
Term
Definition
active configuration
The current committed configuration of a switch.
candidate configuration
A working copy of the configuration that allows users to make configurational changes
without causing any operational changes until this copy is committed.
configuration group
Group of configuration statements that can be inherited by the rest of the configuration.
commit a configuration
Have the candidate configuration checked for proper syntax, activated, and marked as
the current configuration file running on the switching platform.
configuration hierarchy
The JUNOS Software configuration consists of a hierarchy of statements. There are two
types of statements: container statements, which contain other statements, and leaf
statements, which do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.
default configuration
The default configuration contains the initial values set for each configuration parameter
when a switch is shipped.
rescue configuration
Well-known configuration that recovers a switch from a configuration that denies

management access. You set a current committed configuration to be the rescue
configuration through the J-Web interface or CLI.
roll back a configuration
Return to a previously committed configuration.
Related Topics
104

on page 107
Configuration Files Terms
Chapter 7: Configuration File Management
Understanding Autoinstallation of Configuration Files on EX Series Switches

Autoinstallation is the automatic configuration of a device over the network from a
pre-existing configuration file that you create and store on a configuration
servertypically a Trivial File Transfer Protocol (TFTP) server. You can use
autoinstallation to automatically configure new devices and to deploy multiple devices
from a central location in the network.
Autoinstallation takes place automatically when you connect an Ethernet port on a
new switch to the network and power on the switch. You can also explicitly enable
autoinstallation on Juniper Networks EX Series Ethernet Switches in your network
to implement autoinstallation when they are powered on. To configure autointallation,
you specify a configuration server, an autoinstallation interface, and a protocol for
IP address acquisition.
Typical Uses for Autoinstallation on page 105
Autoinstallation Configuration Files and IP Addresses on page 105
Typical Autoinstallation Process on a New Switch on page 106
Typical Uses for Autoinstallation
To deploy and update multiple devices from a central location in the network.
To configure a new deviceAutoinstallation takes place when you power on a

device that has only the factory default configuration (boot) file.
To update a deviceAutoinstallation takes place when a device that has been

manually configured for autoinstallation is powered on.
Autoinstallation Configuration Files and IP Addresses

For the autoinstallation process to work, you must store one or more host-specific
or default configuration files on a configuration server in the network and have a
service availabletypically Dynamic Host Configuration Protocol (DHCP)to assign
an IP address to the switch.
You can set up the following configuration files for autoinstallation on the switch:
network.confDefault configuration file for autoinstallation, in which you specify
IP addresses and associated hostnames for devices on the network.
switch.confDefault configuration file for autoinstallation with a minimum
configuration sufficient for you to telnet to the device and configure it manually.
hostname.confHost-specific configuration file for autoinstallation on a device
that contains all the configuration information necessary for the switch. In the
filename, hostname is replaced with the hostname assigned to the switch.
If the server with the autoinstallation configuration file is not on the same LAN
segment as the new device, or if a specific device is required by the network, you
105
must configure an intermediate device directly attached to the new switch, through
which the new switch can send TFTP, boot protocol (BOOTP), and Domain Name
System (DNS) requests. In this case, you specify the IP address of the intermediate
device as the location to receive TFTP requests for autoinstallation.
Typical Autoinstallation Process on a New Switch

When an EX Series switch is powered on for the first time, it performs the following
autoinstallation tasks:
1.
The new switch sends out DHCP or BOOTP requests on each connected interface
simultaneously to obtain an IP address.
If a DHCP server responds to these requests, it provides the switch with some
or all of the following information:
An IP address and subnet mask for the autoinstallation interface.
The location of the (typically) TFTP server, Hypertext Transfer Protocol

(HTTP) server, or FTP server on which the configuration file is stored.
The name of the configuration file to be requested from the TFTP server.
The IP address or hostname of the TFTP server.

If the DHCP server provides the servers hostname, a DNS server must be
available on the network to resolve the name to an IP address.
2.
106
The IP address of an intermediate device if the configuration server is on a

different LAN segment from the new switch.
After the new switch acquires an IP address, the autoinstallation process on the
switch attempts to download a configuration file in the following ways:
a.
If the DHCP server specifies the host-specific configuration file hostname.conf,

the switch uses that filename in the TFTP server request. The autoinstallation
process on the new switch makes three unicast TFTP requests for
hostname.conf. If these attempts fail, the switch broadcasts three requests
to any available TFTP server for the file.
b.
If the new switch does not locate a hostname.conf file, the autoinstallation
process sends three unicast TFTP requests for a network.conf file that contains
the switchs hostname-to-IP-address mapping information. If these attempts
fail, the switch broadcasts three requests to any available TFTP server for
the file.
c.
If the switch fails to find a network.conf file that contains a hostname entry
for the switch, the autoinstallation process sends out a DNS request and
attempts to resolve the new switch's IP address to a hostname.
d.
If the new switch determines its hostname, it sends a TFTP request for the
hostname.conf file.
e.
If the new switch is unable to map its IP address to a hostname, it sends

TFTP requests for the default configuration file switch.conf. The TFTP request
procedure is the same as for the network.conf file.
Related Topics
3.
After the new switch locates a configuration file on a TFTP server, the
autoinstallation process downloads the file, installs the file on the switch, and
commits the configuration.

Use the Configuration History function to manage configuration files.
1. Displaying Configuration History on page 107
2. Displaying Users Editing the Configuration on page 108
3. Comparing Configuration Files with the J-Web Interface on page 109
4. Downloading a Configuration File with the J-Web Interface on page 109
5. Loading a Previous Configuration File with the J-Web Interface on page 109
Displaying Configuration History

To manage configuration files with the J-Web interface, select Maintain > Config
Management >History. The main pane displays History Database Information
page.
Table 21 on page 107 summarizes the contents of the display.
The configuration history display allows you to:
View a configuration.
Compare two configurations.
Download a configuration file to your local system.
Roll back the configuration to any of the previous versions stored on the switch.
Table 21: J-Web Configuration History Summary

Field
Description
Number
Version of the configuration file.
Date/Time
Date and time the configuration was committed.
User
Name of the user who committed the configuration.
107
Table 21: J-Web Configuration History Summary (continued)

Field
Description
Client
Method by which the configuration was committed:
cliA user entered a JUNOS CLI command.
junoscriptA JUNOScript client performed the operation. Commit operations performed by users
through the J-Web interface are identified in this way.
snmpAn SNMP set request started the operation.
otherAnother method was used to commit the configuration.
Comment
Comment.
Log Message
Method used to edit the configuration:
Action
Imported via paste Configuration was edited and loaded with the Configure>CLI Tools>Edit
Configuration Text option.
Imported upload [filename]Configuration was uploaded with the Configure>CLI Tools>Point Click
Editor option.
Modified via JWeb Configure Configuration was modified with the J-Web Configure menu.
Rolled back via user-interface Configuration was rolled back to a previous version through the user
interface specified by user-interface, which can be Web Interface or CLI.
Action to perform with the configuration file. The action can be Download or Rollback.
Displaying Users Editing the Configuration

To display a list of users editing the switching platform configuration, select Config
Management >History. The list is displayed as Database Information in the main
pane. Table 22 on page 108 summarizes the Database Information display.
Table 22: J-Web Configuration Database Information Summary
Field
Description
User Name
Name of user editing the configuration.
Start Time
Time of day the user logged in to the switch.
Idle Time
Elapsed time since the user issued a configuration command from the CLI.
Terminal
Terminal on which the user is logged in.
PID
Process identifier assigned to the user by the switching platform.
Edit Flags
Designates a private or exclusive edit.
Edit Path
Level of the configuration hierarchy that the user is editing.
108
Displaying Users Editing the Configuration
Comparing Configuration Files with the J-Web Interface

To compare any two of the past 50 committed configuration files:
1.
Select Config Management >History. A list of the current and the previous 49
configurations is displayed as Configuration History in the main pane.
2.
Select the check boxes to the left of the two configuration versions you want to
compare.
3.
Click Compare.
The main pane displays the differences between the two configuration files at
each hierarchy level as follows:
Lines that have changed are highlighted side by side in green.
Lines that exist only in the more recent configuration file are displayed in
red on the left.
Lines that exist only in the older configuration file are displayed in blue on
the right.
Downloading a Configuration File with the J-Web Interface

To download a configuration file from the switch to your local system:
1.
Select Config Management >History. A list of current and previous 49 configurations

is displayed as Configuration History in the main pane.
2.
In the Action column, click Download for the version of the configuration you
want to download.
3.
Select the options your Web browser provides that allow you to save the
configuration file to a target directory on your local system.
The file is saved as an ASCII file.
Loading a Previous Configuration File with the J-Web Interface

To load (roll back) and commit a previous configuration file stored on the switching
platform:
1.
Select Config Management >History. A list of current and previous 49 configurations

is displayed as Configuration History in the main pane.
2.
In the Action column, click Rollback for the version of the configuration you want
to load.
The main pane displays the results of the rollback operation.
Comparing Configuration Files with the J-Web Interface
109
NOTE: When you click Rollback, the switch loads and commits the selected
configuration. This behavior is different from the switch's behavior that occurs after
you enter the rollback configuration mode command from the CLI. In the latter case,
the configuration is loaded but not committed.
Related Topics
Uploading a Configuration File (CLI Procedure)

You can create a configuration file on your local system, copy the file to the EX Series
switch and then load the file into the CLI. After you have loaded the configuration
file, you can commit it to activate the configuration on the switch. You can also edit
the configuration interactively using the CLI and commit it at a later time.
To upload a configuration file from your local system:
1.
Create the configuration file using a text editor such as Notepad, making sure
that the syntax of the configuration file is correct. For more information about
testing the syntax of a configuration file see JUNOS Software System Basics and
Services Command Reference at http://www.juniper.net/techpubs/software/junos/.
2.
In the configuration text file, use an option to perform the required action when
the file is loaded. Table 23 on page 110 lists and describes some options for the
load command.
Table 23: Options for the load command

Options
Description
merge
Combines the current active configuration and the configuration in filename or the one that you
type at the terminal. A merge operation is useful when you are adding a new section to an
existing configuration. If the active configuration and the incoming configuration contain
conflicting statements, the statements in the incoming configuration override those in the active
configuration.
override
Discards the current candidate configuration and loads the configuration in filename or the one
that you type at the terminal. When you use the override option and commit the configuration,
all system processes reparse the configuration. You can use the override option at any level of
the hierarchy.
replace
Searches for the replace tags, deletes the existing statements of the same name, if any, and
replaces them with the incoming configuration. If there is no existing statement of the same
name, the replace operation adds the statements marked with the replace tag to the active
configuration.
NOTE: For this operation to work, you must include replace tags in the text file or in the
configuration you type at the terminal.
110
Uploading a Configuration File (CLI Procedure)
3.
Press Ctrl+A to select all the text in the configuration file.
4.
Press Ctrl+C to copy the contents of the configuration text file to the Clipboard.
5.
Log in to the switch using your username and password.
6.
To enter configuration mode:

You will see this output, with the hash or pound mark indicating configuration
mode.
Entering configuration mode
[edit]
user@switch#
7.
Load the configuration file:

[edit]
user@switch# load merge terminal
8.
At the cursor, paste the contents of the Clipboard using the mouse and the Paste
icon:
[edit]
user@switch# load merge terminal
[Type ^D at a new line to end input]
>Cursor is here. Paste the contents of the clipboard here<
9.
Press Enter.
10. Press Ctrl+D to set the end-of-file marker.
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.You can also edit the configuration interactively using the CLI and
commit it at a later time.
Related Topics
Uploading a Configuration File (J-Web Procedure)

You can create a configuration file on your local system, copy the file to the EX Series
switch and then load the file into the CLI. After you have loaded the configuration
file, you can commit it to activate the configuration on the switch. You can also edit
the configuration interactively using the CLI and commit it at a later time.
To upload a configuration file from your local system:
1.
Select Maintain > Config Management > Upload.

The main pane displays the File to Upload box.
2.
Specify the name of the file to upload using one of the following methods:
Type the absolute path and filename in the File to Upload box.
Uploading a Configuration File (J-Web Procedure)
111
Click Browse to navigate to the file.
3.
Click Upload and Commit to upload and commit the configuration.

The switch checks the configuration for the correct syntax before committing it.
Related Topics
Loading a Previous Configuration File (CLI Procedure)

You can return to a previously committed configuration file if you need to revert to
a previous configuration. The EX Series switch saves the last 50 committed
configurations, including the rollback number, date, time, and name of the user who
issued the commit configuration command.
Syntax
rollback <number>
Options
none Return to the most recently saved configuration.
numberConfiguration to return to.
Range: 0 through 49. The most recently saved configuration is number 0,

and the oldest saved configuration is number 49.
Default: 0
To return to a configuration prior to the most recently committed one:

1.
Specify the rollback number (here, 1 is entered and the configuration returns to
the previously committed configuation):
[edit]
user@switch# rollback 1
load complete
2.
Activate the configuration you have loaded:

[edit]
user@switch# commit
Related Topics
112

on page 107
For more information on rollback, see the JUNOS Software CLI User Guide at
http://www.juniper.net/techpubs/software/junos/junos94/index.html .
Loading a Previous Configuration File (CLI Procedure)
Configuring Autoinstallation of Configuration Files (CLI Procedure)

Autoinstallation is the automatic configuration of a device over the network from a
pre-existing configuration file that you create and store on a configuration
servertypically a Trivial File Transfer Protocol (TFTP) server. You can use
autoinstallation to automatically configure new devices and to deploy multiple devices
from a central location in the network.
No configuration is required on a new switch (a switch that has the factory default
configuration file), because it is an automated process. However, to specify
autoinstallation to run when you power on a switch already installed in your network,
you can enable it by specifying one or more interfaces, protocols, and configuration
servers to be used for autoinstallation.
Before you explicitly enable and configure autoinstallation on the switch, perform
these tasks as needed for your networks configuration:
Have a service availabletypically Dynamic Host Configuration Protocol

(DHCP)to assign an IP address to the switch
Configure a DHCP server on your network to meet your network requirements.

You can configure an EX Series switch to operate as a DHCP server. For more
information, see Configuring DHCP Services (J-Web Procedure) on page 772.
Create one of the following configuration files, and store it on a TFTP server (or
HTTP server or FTP server) in the network:
A host-specific file with the name hostname.conf for each switch undergoing
autoinstallation. Replace hostname with the name of a switch. The
hostname.conf file typically contains all the configuration information
necessary for the switch with this hostname.
A default configuration file named switch.conf with the minimum

configuration necessary to enable you to telnet into the new switch for further
configuration.
Physically attach the switch to the network using a Gigabit Ethernet port.
If you configure the DHCP server to provide only the TFTP server hostname, add
an IP address-to-hostname mapping entry for the TFTP server to the DNS database
file on the Domain Name System (DNS) server in the network.
If the new switch is not on the same network segment as the DHCP server (or
other device providing IP address resolution), configure an existing device as an
intermediate device to receive TFTP and DNS requests and forward them to the
TFTP server and the DNS server. You must configure the LAN or serial interface
on the intermediate device with the IP addresses of the hosts providing TFTP
and DNS services. Connect this interface to the new switch.
If you are using hostname.conf files for autoinstallation, you must also complete
the following tasks:
Configure the DHCP server to provide a hostname.conf filename to each

new switch. Each switch uses its hostname.conf filename to request a
configuration file from the TFTP server. Copy the necessary hostname.conf
configuration files to the TFTP server.
Configuring Autoinstallation of Configuration Files (CLI Procedure)
113
Create a default configuration file named network.conf, and copy it to the

TFTP server. This file contains IP-address-to-hostname mapping entries. If
the DHCP server does not send a hostname.conf filename to a new switch,
the switch uses network.conf to resolve its hostname based on its IP address.
Alternatively, you can add the IP-address-to-hostname mapping entry for
the new switch to a DNS database file.
The switch uses the hostname to request a hostname.conf file from the TFTP
server.
To configure autoinstallation:
1.
Specify the URL address of one or more servers from which to obtain
configuration files.
[edit system]
user@switch# set autoinstallation configuration-servers
tftp://tftpconfig.sp.com
NOTE: You can also use an FTP address, for example,

ftp://user:password@sftpconfig.sp.com.
2.
Configure one or more Ethernet interfaces to perform autoinstallation and one

or two procurement protocols for each interface. The switch uses the protocols
to send a request for an IP address for the interface:
[edit system]
user@switch# set autoinstallation interfaces ge-0/0/0 bootp
Related Topics
Verifying Autoinstallation Status on an EX Series Switch on page 114
Understanding Autoinstallation of Configuration Files on EX Series Switches on

page 105
Verifying Autoinstallation Status on an EX Series Switch

Purpose
Action
Sample Output
114
Display the status of the autoinstallation feature on an EX Series switch.

From the CLI, enter the show system autoinstallation status command.
user@switch> show system autoinstallation status
Autoinstallation status:
Master state: Active
Last committed file: None
Configuration server of last committed file: 10.25.100.1
Interface:
Name: ge-0/0/0
State: Configuration Acquisition
Verifying Autoinstallation Status on an EX Series Switch
Acquired:
Address: 192.168.124.75
Hostname: host-ge-000
Hostname source: DNS
Configuration filename: switch-ge-000.conf
Configuration filename server: 10.25.100.3
Address acquisition:
Protocol: DHCP Client
Acquired address: None
Protocol: RARP Client
Interface:
Name: ge-0/0/1
State: None
Address acquisition:
Protocol: DHCP Client
Protocol: RARP Client
Meaning
Related Topics
The output shows the settings configured for autoinstallation. Verify that the values
displayed are correct for the switch when it is deployed on the network.
EX3200 and EX4200 Default Configuration

Each EX Series switch is programmed with a factory default configuration that
contains the values set for each configuration parameter when a switch is shipped.
The default configuration file sets values for system parameters such as syslog and
commit, configures Power over Ethernet and Ethernet switching on all interfaces,
and enables the LLDP and RSTP protocols.
The following factory default configuration file is for a 24-port switch. For models
that have more ports, this default configuration file has more interfaces.
NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports.
Optional uplink modules provide either two 10-gigabit small form-factor pluggable
(XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit small form-factor
pluggable (SFP) transceivers (ge-0/1/0 through ge-0/1/3). Although you can install
only one uplink module, the interfaces for both are shown below.
When you commit changes to the configuration, a new configuration file is created
which becomes the active configuration. You can always revert to the factory default
configuration.
This topic shows the factory default configuration file of a 24-port EX3200 or EX4200
switch:
system {
syslog {
user * {
115
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
ge-0/0/4 {
unit 0 {
}
}
ge-0/0/5 {
unit 0 {
}
}
ge-0/0/6 {
unit 0 {
}
}
ge-0/0/7 {
unit 0 {
116
}
}
ge-0/0/8 {
unit 0 {
}
}
ge-0/0/9 {
unit 0 {
}
}
ge-0/0/10 {
unit 0 {
}
}
ge-0/0/11 {
unit 0 {
}
}
ge-0/0/12 {
unit 0 {
}
}
ge-0/0/13 {
unit 0 {
}
}
ge-0/0/14 {
unit 0 {
}
}
ge-0/0/15 {
unit 0 {
}
}
ge-0/0/16 {
unit 0 {
}
}
ge-0/0/17 {
unit 0 {
}
}
ge-0/0/18 {
unit 0 {
}
117
}
ge-0/0/19 {
unit 0 {
}
}
ge-0/0/20 {
unit 0 {
}
}
ge-0/0/21 {
unit 0 {
}
}
ge-0/0/22 {
unit 0 {
}
}
ge-0/0/23 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
}
}
ge-0/1/0 {
unit 0 {
}
}
ge-0/1/1 {
unit 0 {
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
unit 0 {
}
}
118
}
protocols {
igmp-snooping{
vlan all;
}
lldp {
interface all;
}
lldp-med {
interface all;
}
rstp;
}
storm-control {
interface all {
level 50;
}
}
}
poe {
interface all;
}
Related Topics
Reverting to the Default Factory Configuration for the EX Series Switch on page
154
EX8200 Switch Default Configuration

Each EX8200 switch is programmed with a factory default configuration that contains
the values set for each configuration parameter when a switch is shipped. The default
configuration file sets values for system parameters such as system log and file
messages, and enables the LLDP and RSTP protocols.
When you commit changes to the configuration, a new configuration file is created
that becomes the active configuration. You can always revert to the factory default
configuration.
This topic shows the factory default configuration file of an EX8200 switch:
system {
arp {
aging-timer {
5;
}
}
syslog {
user * {
119
any emergency;
}
file messages {
any notice;
authorization info;
}
}
}
commit {
factory-settings {
}
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
interface all;
}
rstp;
}
storm-control {
interface all {
level 50;
}
}
}
Related Topics
120
Chapter 8
Licenses
Software Licenses for the EX Series Switch Overview on page 121
License Key Components for the EX Series Switch on page 122
Managing Licenses for the EX Series Switch (CLI Procedure) on page 122
Managing Licenses for the EX Series Switch (J-Web Procedure) on page 124
Monitoring Licenses for the EX Series Switch on page 126
Registering the EX Series Switch with the J-Web Interface on page 127

To enable some Juniper Networks JUNOS Software features, you might have to
purchase, install, and manage separate software license packs. The presence on the
switch of the appropriate software license keys (passwords) determines whether you
are eligible to configure and use certain features.
As an honor-based licensing structure, JUNOS feature licenses are universal, and the
same feature can be installed and configured on multiple switches. However, to
conform to JUNOS feature licensing requirements, you must purchase one license
per switch. For a Virtual Chassis deployment, two licenses are recommended for
redundancy. These licenses can be based on the serial number of any two member
switches. If you add additional member switches to the Virtual Chassis configuration,
you do not need additional licenses.
For features that require a license, you must install and properly configure the license
to meet the requirements for using the licensable feature. The switch enables you
to commit a configuration that specifies a licensable feature without a license for a
30-day grace period. The grace period is a short-term grant that enables you to start
using features in the pack (regardless of the license key limit) without a license key
installed. The grace period begins when the licensable feature is actually used by the
switch (not when it is first committed). In other words, you can commit licensable
features to the switch configuration but the grace period does not begin until the
switch uses the licensable feature. After the grace period expires, the system generates
system log messages saying that the feature requires a license.
Before you begin managing licenses, be sure that you have obtained the needed
licenses. For information about how to purchase software licenses, contact your
Juniper Networks sales representative. Features requiring a license are:
121
Related Topics
Border Gateway Protocol (BGP)
Intermediate System-to-Intermediate System (IS-IS)
IPv6 (except multicast protocols)
MPLS with RSVP-based label switched paths (LSPs) and MPLS-based circuit
cross-connects (CCCs)
License Key Components for the EX Series Switch on page 122
License Key Components for the EX Series Switch

When you purchase a license for a JUNOS Software feature that requires a separate
license, you receive a license key.
A license key consists of two parts:
License IDAlphanumeric string that uniquely identifies the license key. When
a license is generated, it is given a license ID.
License dataBlock of binary data that defines and stores all license key objects.
For example, in the following typical license key, the string li29183743 is the license
ID, and the trailing block of data is the license data:
li29183743 4ky27y acasck 82fsj6 jzsn4q ix8i8d adj7kr
8uq38t ix8i8d jzsn4q ix8i8d 4ky27y acasck
82fsj6 ii8i7e adj7kr 8uq38t ks2923 a9382e
The license data defines the device ID for which the license is valid and the version
of the license.
Related Topics
Software Licenses for the EX Series Switch Overview on page 121
Managing Licenses for the EX Series Switch (CLI Procedure)

To enable some JUNOS Software features on an EX Series switch, you must purchase,
install, and manage separate software licenses. Each switch requires one license per
licensed feature. The licenses are on an honor system, meaning that after you have
configured the features, you have a 30-day grace period to install the license. You
will see a warning message if the switch does not have a license for the feature after
those 30 days.
122
License Key Components for the EX Series Switch
Chapter 8: Licenses
Before you begin managing licenses, be sure that you have:
Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.
This topic includes the following tasks:
Adding New Licenses on page 123
Deleting Licenses on page 124
Saving License Keys on page 124
Adding New Licenses

To add a new license key on the switch with CLI:
1.
Enter one of the following operational mode CLI commands:
To add a license key from a file or URL, enter the following command,
specifying the filename of the file or the URL where the key is located:
user@switch> request system license add filename | url
To add a license key from the terminal, enter the following command:
user@switch> request system license add terminal
2.
When prompted, enter the license key, separating multiple license keys with a
blank line.
If the license key you enter is invalid, an error appears in the CLI output when
you press Ctrl+d to exit license entry mode.
Adding New Licenses
123
Deleting Licenses
To delete one or more license keys from the switch with the CLI, enter the following
operational mode CLI command for each license, specifying the license ID.
user@switch> request system license delete license-id
You can delete only one license at a time.
Saving License Keys

To save the installed license keys to a file (which can be a URL) or to the terminal,
enter the following operational mode CLI command:
user@switch> request system license save filename | url
For example, the following command saves the installed license keys to a file named
license.conf:
user@switch> request system license save ftp://user@switch/license.conf
Related Topics
Managing Licenses for the EX Series Switch (J-Web Procedure)

To enable some JUNOS Software features on an EX Series switch, you must purchase,
install, and manage separate software licenses. Each switch requires one license per
licensed feature. The licenses are on an honor system, meaning that after you have
configured the features, you have a 30-day grace period to install the license. You
will see a warning message if the switch does not have a license for the feature after
those 30 days.
Before you begin managing licenses, be sure that you have:
Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.
Adding New Licenses on page 124
Deleting Licenses on page 125
Displaying License Keys on page 125
Downloading Licenses on page 125
Adding New Licenses

To add a new license key on the switch with the J-Web license manager:
124
Deleting Licenses
Chapter 8: Licenses
1.
In the J-Web interface, select Maintain>Licenses.
2.
Under Installed Licenses, click Add to add a new license key.
3.
Do one of the following, using a blank line to separate multiple license keys:
4.
In the License File URL box, type the full URL to the destination file containing
the license key to be added.
In the License Key Text box, paste the license key text, in plain-text format,
for the license to be added.
Click OK to add the license key.
A list of features that use the license key is displayed. The table also lists the ID, state,
and version of the license key.
Deleting Licenses
To delete one or more license keys from a switch with the J-Web license manager:
1.
2.
Select the check box of the license or licenses you want to delete.
3.
Click Delete.
Displaying License Keys

To display the license keys installed on a switch with the J-Web license manager:
1.
2.
Under Installed Licenses, click Display Keys to display all the license keys installed
on the switch.
A screen displaying the license keys in text format appears. Multiple licenses are
separated by a blank line.
Downloading Licenses
To download the license keys installed on the switch with the J-Web license manager:
Related Topics
1.
2.
Under Installed Licenses, click Download Keys to download all the license keys
installed on the switch to a single file.
3.
Select Save it to disk and specify the file to which the license keys are to be
written. You can also download the license file to your system.
Deleting Licenses
125
Monitoring Licenses for the EX Series Switch

To enable and use some JUNOS Software features on the EX Series switch, you must
purchase, install, and manage separate software licenses.
To monitor your installed licenses perform the following tasks:
Displaying Installed Licenses and License Usage Details on page 126
Displaying License Usage on page 126
Displaying Installed License Keys on page 127
Displaying Installed Licenses and License Usage Details

Purpose
Action
Meaning
Verify that the expected licenses are installed and active on the switch.
From the CLI, enter the show system license command.
The output shows a list of the license usage and a list of the licenses installed on the
switch. Verify the following information:
Each license is present. Licenses are listed in ascending alphanumeric order by

license ID.
The state of each license is valid.
A state of invalid indicates that the license key is not a valid license key. Either it was
entered incorrectly or it is not valid for the specific device.
The feature for each license is the expected feature. The features enabled are
listed by license. An all-inclusive license has All features listed.
All configured features have the required licenses installed. The Licenses needed
column must show that no licenses are required.
Displaying License Usage

Purpose
Action
Meaning
126
Verify that the licenses fully cover the feature configuration on the switch.
From the CLI, enter the show system license usage command.
The output shows a list of the licenses installed on the switch and how they are used.
Verify the following information:
Each licensed feature and port is present. Features and ports are listed in
ascending alphabetical order by license name. The number of licenses is shown
in the fourth column. Verify that the appropriate number of licenses is installed.
The number of used licenses matches the number of configured features and
ports. If a licensed feature or port is configured, the feature or port is considered
used.
Monitoring Licenses for the EX Series Switch
Chapter 8: Licenses
A license is installed on the switch for each configured feature and port. For
every feature or port configured that does not have a license, one license is
needed.
Displaying Installed License Keys

Purpose
Action
Meaning
Related Topics
Verify that the expected license keys are installed on the switch.
From the CLI, enter the show system license keys command.
The output shows a list of the license keys installed on the switch. Verify that each
expected license key is present.
Registering the EX Series Switch with the J-Web Interface

To register the EX Series switch:
1.
In the J-Web interface, select Maintain>Customer Support>Product Registration.

Note the serial number that is displayed.
Related Topics
2.
Click Register. Enter the serial number in the page that is displayed.
Displaying Installed License Keys
127
128
Registering the EX Series Switch with the J-Web Interface
Part 5
System Basics
Understanding Basic System Concepts on page 131
Configuring Basic System Functions on page 133
Administering and Monitoring Basic System Functions on page 139
Troubleshooting Basic System Functions on page 165
Operational Mode Commands for Basic System Functions on page 169
System Basics
129
130
System Basics
Chapter 9
Understanding Alarm Types and Severity Levels on EX Series Switches on page 131
Understanding Alarm Types and Severity Levels on EX Series Switches

Before monitoring alarms on the switch, become familiar with the terms defined in
Table 24 on page 131.
Table 24: Alarm Terms
Term
Definition
alarm
Signal alerting you to conditions that might prevent normal operation. On a switch, the alarm
signal is the yellow ALARM LED lit on the front of the chassis.
alarm condition
Failure event that triggers an alarm.
alarm severity
Seriousness of the alarm. The level of severity can be either major (red) or minor (yellow).
chassis alarm
Predefined alarm triggered by a physical condition on the switch such as a power supply failure,
excessive component temperature, or media failure.
system alarm
Predefined alarm triggered by a missing rescue configuration or failure to install a license for a
licensed software feature.
Alarm Types
The switch supports these alarms:
Chassis alarms indicate a failure on the switch or one of its components. Chassis
alarms are preset and cannot be modified.
System alarms indicate a missing rescue configuration. System alarms are preset
and cannot be modified, although you can configure them to appear automatically
in the J-Web interface display or CLI display.
Alarm Severity Levels

Alarms on an Juniper Networks EX Series Ethernet Switches have two severity levels:
Major (red)Indicates a critical situation on the switch that has resulted from
one of the following conditions. A red alarm condition requires immediate action.
131
One or more hardware components have failed.
One or more hardware components have exceeded temperature thresholds.
An alarm condition configured on an interface has triggered a critical warning.
Minor (yellow or amber)Indicates a noncritical condition on the switch that,

if left unchecked, might cause an interruption in service or degradation in
performance. A yellow alarm condition requires monitoring or maintenance.
A missing rescue configuration generates a yellow system alarm.
Related Topics
132
Checking Active Alarms on the Switch with the J-Web Interface
Understanding How to Use the J-Web Interface to View System Information
Chapter 10
Configuring Management Access for the EX Series Switch (J-Web

Configuring Date and Time for the EX Series Switch (J-Web Procedure) on page 135
Generating SSL Certificates to Be Used for Secure Web Access on page 136
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI

Configuring Management Access for the EX Series Switch (J-Web Procedure)

You can manage an EX Series switch remotely through the J-Web interface. To
communicate with the switch, the J-Web interface uses Hypertext Transfer Protocol
(HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted
between the Web browser and the switch by means of HTTP is vulnerable to
interception and attack. To enable secure Web access the switch supports HTTP over
Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific
interfaces and ports as needed.
Navigate to the Secure Access Configuration page by selecting Configure>System
Properties>Management Access. On this page, you can enable HTTP and HTTPS
access on interfaces for managing the EX Series switch through the J-Web interface.
You can also install SSL certificates and enable JUNOScript over SSL with the Secure
Access page.
1.
Click Edit to modify the configuration. Enter information into the Management
Access Configuration page, as described in Table 25 on page 134.
2.
To verify that Web access is enabled correctly, connect to the switch using the
appropriate method:
For HTTP accessIn your Web browser, type http://URL or http://IP address
.
For HTTPS accessIn your Web browser, type https://URL or https://IP

address .
For SSL JUNOScript access To use this option, you must have aJUNOScript
client such as JUNOScope. For information about how to log into JUNOScope,
see the JUNOScope Software User Guide.
133
Table 25: Secure Management Access Configuration Summary

Field
Function
Your Action
Management Access tab
Management Port
IP/Management Port
IPv6
Specifies the management port IP

address. The software supports both IPv4
( displayed as IP) and IPv6 address.
To specify an IPv4 address:
1.
Select the check box IPv4 address.
2.
Type an IP address for example: 10.10.10.10.
3.
Enter the subnet mask or address prefix. For example,

24 bits represents 255.255.255.0.
4.
Click OK.
1.
2.
Type an IP addressfor
example:2001:ab8:85a3::8a2e:370:7334.
3.
Enter the subnet mask or address prefix.
4.
Click OK.
Default Gateway
Defines a default gateway through which

to direct packets addressed to networks
that are not explicitly listed in the bridge
table constructed by the switch.
For IPv4 address type a 32-bit IP address, in dotted decimal

notation. Type a 128-bit IP address for IPv6 address type.
Loopback address
Specifies the IP address of the loopback

interface.
Type an IP address.
Subnet Mask
Specifies the subnet mask for the

loopback interface.
Enter the subnet mask or address prefix.
Services
Specifies services to be enabled: telnet

and SSH.
Select to enable the required services.
Enable JUNOScript
over Clear Text
Enables clear text access to the

JUNOScript XML scripting API.
To enable clear text access, select the Enable JUNOScript

over Clear Text check box.
Enable JUNOScript
over SSL
Enables secure SSL access to the

JUNOScript XML scripting API.
To enable SSL access, select the Enable JUNOScript over

SSL check box.
JUNOScript
Certificate
Specifies SSL certificates to be used for

encryption.
To enable an SSL certificate, select a certificate from the

JUNOScript SSL Certificate listfor example, new.
Services tab
This field is available only after you

create at least one SSL certificate.
134
Chapter 10: Configuring Basic System Functions
Table 25: Secure Management Access Configuration Summary (continued)

Field
Function
Your Action
Enable HTTP
Enables HTTP access on interfaces.
To enable HTTP access, select the Enable HTTP access

check box.
Select and clear interfaces by clicking the direction arrows:
Enable HTTPS
Enables HTTPS access on interfaces.
To enable HTTP access on an interface, add the

interface to the HTTP Interfaces list. You can either
select all interfaces or specific interfaces.
To enable HTTPS access, select the Enable HTTPS access

check box.
Select and deselect interfaces by clicking the direction
arrows:
To enable HTTPS access on an interface, add the

interface to the HTTPS Interfaces list. You can either
select all interfaces or specific interfaces.
NOTE: Specify the certificate to be used for HTTPS access.

Certificates tab
Certificates
Displays digital certificates required for

SSL access to the switch.
To add a certificate:
1.
Have a general SSL certificate

available. See Generating SSL
Certificates for more information.
2.
Click Add. The Add a Local

Certificate page opens.
3.
Type a name in the Certificate

Name boxfor example, new.
4.
Open the certificate file and copy

its contents.
5.
Paste the generated certificate and

RSA private key in the Certificate
box.
Allows you to add and delete SSL

certificates.
To edit a certificate, select it and click

Edit.
To delete a certificate, select it and click
Delete.
Related Topics
Configuring Date and Time for the EX Series Switch (J-Web Procedure)
To configure date and time:
Configuring Date and Time for the EX Series Switch (J-Web Procedure)
135
1.
Select Configure>System Properties>Date & Time.
2.
To modify the information, click Edit. Enter information into the Edit Date &
Time page, as described in Table 26 on page 136.
3.
Click one:
To apply the configuration, click OK.
To cancel your entries and return to the System Properties page, click Cancel.
Table 26: Date and Time Settings

Time
Time Zone
Identifies the timezone that the

switching platform is located in.
Select the appropriate time zone from

the list.
Set Time
Synchronizes the system time with that

of the NTP server. You can also manually
set the system time and date.
To immediately set the time, click one:
Synchronize with PC timeThe
switch synchronizes the time with

that of the PC.
NTP ServersThe switch sends a
request to the NTP server and

synchronizes the system time.
Related Topics
ManualA pop-up window allows

you to select the current date and
time from a list.
Generating SSL Certificates to Be Used for Secure Web Access

You can set up secure web access for an EX Series switch. To enable secure Web
access, you must generate a digital Secure Sockets Layer (SSL) certificate and then
enable HTTPS access on the switch.
To generate an SSL cetificate:
1.
Enter the following openssl command in your SSH command-line interface on

a BSD or Linux system on which openssl is installed. The openssl command
generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format.
It writes the certificate and an unencrypted 1024-bit RSA private key to the
specified file.
% openssl req x509 nodes newkey rsa:1024 keyout filename.pem -out
filename.pem
where filename is the name of a file in which you want the SSL certificate to be
writtenfor example, new.
2.
136
When prompted, type the appropriate information in the identification form.

For example, type US for the country name.
Generating SSL Certificates to Be Used for Secure Web Access
Chapter 10: Configuring Basic System Functions
3.
Display the contents of the file that you created.

cat new.pem
NOTE: When you are ready to install the SSL certificate, copy the file containing the
certificate from the BSD or Linux system to the switch. Open the file and copy its
contents so that you can paste it into the Certificate box on the J-Web Secure Access
Configuration page.
You can use J-Web Configuration page to install the SSL certificate and enable HTTPS.
Related Topics

page 133
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure)

JUNOS Software for EX Series switches enables you to configure the Microsoft
Corporation implementation of the Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) on the switch to provide password-change support. Configuring
MS-CHAPv2 on the switch provides users accessing a switch the option of changing
the password when the password expires, is reset, or is configured to be changed at
next login.
See RFC 2433 at , Microsoft PPP CHAP Extensions, for information about MS-CHAP.
Before you configure MS-CHAPv2 to provide password-change support, ensure that
you have:
Configured RADIUS server authentication. Configure users on the authentication

server and set the first-tried option in the authentication order to radius. See
page 883.
To configure MS-CHAPv2, specify the following:

[edit system radius-options]
user@switch# set password-protocol mschap-v2
You must have the required access permission on the switch in order to change your
password.
Related Topics
Managing Users (J-Web Procedure) on page 148
For more about configuring user access, see the JUNOS Software Access Privilege
137
138
Chapter 11
Administering and Monitoring Basic

System Functions
Monitoring Hosts Using the J-Web Ping Host Tool on page 139
Monitoring Switch Control Traffic on page 141
Monitoring Network Traffic Using Traceroute on page 143
Monitoring System Properties on page 145
Monitoring System Process Information on page 146
Rebooting or Halting the EX Series Switch (J-Web Procedure) on page 147
Managing Users (J-Web Procedure) on page 148
Managing Log, Temporary, and Crash Files on the Switch (J-Web

Setting or Deleting the Rescue Configuration (CLI Procedure) on page 152
Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 153
Reverting to the Default Factory Configuration for the EX Series Switch on page 154
Monitoring Chassis Alarms for an EX8200 Switch on page 157
Monitoring System Log Messages on page 160
Monitoring Hosts Using the J-Web Ping Host Tool

Purpose
Action
Use the J-Web ping host tool to verify that the host can be reached over the network.
The output is useful for diagnosing host and network connectivity problems. The
switch sends a series of ICMP echo (ping) requests to a specified host and receives
ICMP echo responses.
To use the J-Web ping host tool:
1.
Select Troubleshoot>Ping Host.
2.
Next to Advanced options, click the expand icon.
3.
Enter information into the Ping Host page, as described in Table 27 on page 140.
The Remote Host field is the only required field.
139
4.
Click Start.
The results of the ping operation are displayed in the main pane . If no options
are specified, each ping response is in the following format:
bytes bytes from ip-address: icmp_seq=number ttl=number time=time
5.
Meaning
To stop the ping operation before it is complete, click OK.
Table 27 on page 140 lists the fields.
Table 27: J-Web Ping Host Field Summary

Field
Function
Your Action
Remote Host
Identifies the host to ping.
Type the hostname or IP address of the host to

ping.
Determines whether to display hostnames of the

hops along the path.
To suppress the display of the hop hostnames,

select the check box.
To display the hop hostnames, clear the check

box.
Advanced Options
Don't Resolve
Addresses
Interface
Specifies the interface on which the ping requests

are sent.
Select the interface on which ping requests are sent

from the list. If you select any, the ping requests
are sent on all interfaces.
Count
Specifies the number of ping requests to send.
Select the number of ping requests to send from

the list.
Don't Fragment
Specifies the Don't Fragment (DF) bit in the IP

header of the ping request packet.
To set the DF bit, select the check box.
To clear the DF bit, clear the check box.
Sets the record route option in the IP header of the

ping request packet. The path of the ping request
packet is recorded within the packet and displayed
in the main pane.
To record and display the path of the packet,

select the check box.
To suppress the recording and display of the

path of the packet, clear the check box.
Type-of-Service
Specifies the type-of-service (TOS) value in the IP

header of the ping request packet.
Select the decimal value of the TOS field from the

list.
Routing Instance
Name of the routing instance for the ping attempt.
Select the routing instance name from the list.
Interval
Specifies the interval, in seconds, between

transmissions of individual ping requests.
Select the interval from the list.
Packet Size
Specifies the size of the ping request packet.
Type the size, in bytes, of the packet. The size can

be from 0 through 65468. The switch adds 8 bytes
of ICMP header to the size.
Source Address
Specifies the source address of the ping request

packet.
Type the source IP address.
Record Route
140
Chapter 11: Administering and Monitoring Basic System Functions
Table 27: J-Web Ping Host Field Summary (continued)

Field
Function
Your Action
Time-to-Live
Specifies the time-to-live (TTL) hop count for the

ping request packet.
Select the TTL value from the list.
Bypass Routing
Determines whether ping requests are routed by

means of the routing table.
To bypass the routing table and send the ping

requests to hosts on the specified interface
only, select the check box.
To route the ping requests using the routing

table, clear the check box.
If the routing table is not used, ping requests are

sent only to hosts on the interface specified in the
Interface box. If the host is not on that interface,
ping responses are not sent.
Related Topics
Monitoring Interface Status and Traffic on page 395
Monitoring Switch Control Traffic

Purpose
Use the packet capture feature when you need to quickly capture and analyze switch
control traffic on a switch. The packet capture feature allows you to capture traffic
destined for or originating from the Routing Engine.
Action
To use the packet capture feature in the J-Web interface, select Troubleshoot>Packet
Capture.
To use the packet capture feature in the CLI, enter the following CLI command:
monitor traffic
Meaning
You can use the packet capture feature to compose expressions with various matching
criteria to specify the packets that you want to capture. You can decode and view
the captured packets in the J-Web interface as they are captured. The packet capture
feature does not capture transient traffic.
Table 28: Packet Capture Field Summary

Field
Function
Your Action
Interface
Specifies the interface on which the packets are captured.

If you select default, packets on the Ethernet management
port 0, are captured.
From the list, select an interfacefor

example, ge-0/0/0.
Detail level
Specifies the extent of details to be displayed for the

packet headers.
From the list, select Detail.
BriefDisplays the minimum packet header

information. This is the default.
DetailDisplays packet header information in

moderate detail.
ExtensiveDisplays the maximum packet header

information.
141
Table 28: Packet Capture Field Summary (continued)

Field
Function
Your Action
Packets
Specifies the number of packets to be captured. Values

range from 1 to 1000. Default is 10. Packet capture stops
capturing packets after this number is reached.
From the list, select the number of packets

to be capturedfor example, 10.
Addresses
Specifies the addresses to be matched for capturing the

packets using a combination of the following parameters:
Select address-matching criteria. For example:
1.
From the Direction list, select source.
DirectionMatches the packet headers for IP

address, hostname, or network address of the source,
destination or both.
2.
From the Type list, select host.
3.
In the Address box, type 10.1.40.48.
TypeSpecifies if packet headers are matched for

host address or network address.
4.
Click Add.
You can add multiple entries to refine the match criteria

for addresses.
Protocols
Matches the protocol for which packets are captured. You

can choose to capture TCP, UDP, or ICMP packets or a
combination of TCP, UDP, and ICMP packets.
From the list, select a protocolfor example,

tcp.
Ports
Matches packet headers containing the specified source

or destination TCP or UDP port number or port name.
Select a direction and a port. For example:
From the Type list, select src.
In the Port box, type 23.
Advanced Options
Absolute TCP
Sequence
Specifies that absolute TCP sequence numbers are to be

displayed for the packet headers.
To display absolute TCP sequence numbers

in the packet headers, select this check box.
Layer 2 Headers
Specifies that link-layer packet headers are to be

displayed.
To include link-layer packet headers while

capturing packets, select this check box.
Non-Promiscuous
Specifies not to place the interface in promiscuous mode,

so that the interface reads only packets addressed to it.
In promiscuous mode, the interface reads every packet
that reaches it.
To read all packets that reach the interface,

select this check box.
Display Hex
Specifies that packet headers, except link-layer headers,

are to be displayed in hexadecimal format.
To display the packet headers in hexadecimal

format, select this check box.
Display ASCII and

Hex
Specifies that packet headers are to be displayed in

hexadecimal and ASCII format.
To display the packet headers in ASCII and

hexadecimal formats, select this check box.
Header
Expression
Specifies the match condition for the packets to be

captured. The match conditions you specify for Addresses,
Protocols, and Ports are displayed in expression format
in this field.
You can enter match conditions directly in

this field in expression format or modify the
expression composed from the match
conditions you specified for Addresses,
Protocols, and Ports. If you change the match
conditions specified for Addresses, Protocols,
and Ports again, packet capture overwrites
your changes with the new match conditions.
142
Table 28: Packet Capture Field Summary (continued)

Field
Function
Your Action
Packet Size
Specifies the number of bytes to be displayed for each

packet. If a packet header exceeds this size, the display
is truncated for the packet header. The default value is
96 bytes.
Type the number of bytes you want to

capture for each packet headerfor example,
256.
Don't Resolve
Addresses
Specifies that IP addresses are not to be resolved into

hostnames in the packet headers displayed.
To prevent packet capture from resolving IP

addresses to hostnames, select this check
box.
No Timestamp
Suppresses the display of packet header timestamps.
To stop displaying timestamps in the captured

packet headers, select this check box.
Write Packet
Capture File
Writes the captured packets to a file in PCAP format in

/var/tmp. The files are named with the prefix jweb-pcap
and the extension .pcap. If you select this option, the
decoded packet headers are not displayed on the packet
capture page.
To decode and display the packet headers on

the J-Web page, clear this check box.
Related Topics
Using the CLI Terminal on page 66
Monitoring Network Traffic Using Traceroute

Purpose
Action
Use the Traceroute page in the J-Web interface to trace a route between the switch
and a remote host. You can use a traceroute task to display a list of waypoints
between the switch and a specified destination host. The output is useful for
diagnosing a point of failure in the path from the switch platform to the destination
host and addressing network traffic latency and throughput problems.
To use the traceroute tool:
1.
Select Troubleshoot>Traceroute.
2.
Next to Advanced options, click the expand icon.
3.
Enter information into the Traceroute page.

The Remote Host field is the only required field.
Meaning
4.
Click Start.
5.
To stop the traceroute operation before it is complete, click OK while the results
of the traceroute operation are being displayed.
The switch generates the list of waypoints by sending a series of ICMP traceroute
packets in which the time-to-live (TTL) value in the messages sent to each successive
waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to
1.) In this manner, each waypoint along the path to the destination host replies with
a Time Exceeded packet from which the source IP address can be obtained.
143
The results of the traceroute operation are displayed in the main pane. If no options
are specified, each line of the traceroute display is in the following format:
hop-number host (ip-address) [as-number] time1 time2 time3
The switch sends a total of three traceroute packets to each waypoint along the path
and displays the round-trip time for each traceroute operation. If the switch times
out before receiving a Time Exceeded message, an asterisk (*) is displayed for that
round-trip time.
Table 29: Traceroute field summary
Field
Function
Your Action
Remote Host
Identifies the destination host of the traceroute.
Type the hostname or IP address of the

destination host.
Don't Resolve
Addresses
Determines whether hostnames of the hops along the

path are displayed, in addition to IP addresses.
To suppress the display of the hop

hostnames, select the check box.
Gateway
Specifies the IP address of the gateway to route through.
Type the gateway IP address.
Source Address
Specifies the source address of the outgoing traceroute

packets.
Type the source IP address.
Bypass Routing
Determines whether traceroute packets are routed by

means of the routing table. If the routing table is not
used, traceroute packets are sent only to hosts on the
interface specified in the Interface box. If the host is not
on that interface, traceroute responses are not sent.
To bypass the routing table and send the

traceroute packets to hosts on the specified
interface only, select the check box.
Interface
Specifies the interface on which the traceroute packets

are sent.
From the list, select the interface on which

traceroute packets are sent. If you select any,
the traceroute requests are sent on all
interfaces.
Time-to-live
Specifies the maximum time-to-live (TTL) hop count for

the traceroute request packet.
From the list, select the TTL.
Type-of-Service
Specifies the type-of-service (TOS) value to include in the

IP header of the traceroute request packet.
From the list, select the decimal value of the

TOS field.
Resolve AS
Numbers
Determines whether the autonomous system (AS)

number of each intermediate hop between the router
and the destination host is displayed.
To display the AS numbers, select the check

box.
Advanced Options
Related Topics
144
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 377
Monitoring System Properties

Purpose
Use the monitoring functionality to view system properties such as the name and IP
address of the switch and resource usage.
Action
To monitor system properties in the J-Web interface, select Monitor > System View >
System Information.
To monitor system properties in the CLI, enter the following commands:
Meaning
show system uptime
show system users
show system storage
Table 30 on page 145 summarizes key output fields in the system properties display.
Table 30: Summary of Key System Properties Output Fields

Field
Values
Additional Information
General Information
Serial
Number
Serial number for the switch.
JUNOS
Software
Version
Version of JUNOS Software active on the switch,

including whether the software is for domestic or
export use.
Hostname
The name of switch.
IP Address
The IP address of the switch.
Loopback
Address
The loopback address.
Domain
Name
Server
The address of the domain name server.
Time Zone
The time zone on the switch.
Export software is for use outside of the U.S. and

Canada.
Time
Current
Time
Current system time, in Coordinated Universal Time

(UTC).
System
Booted
Time
Date and time when the switch was last booted and
how long it has been running.
Protocol
Started
Time
Date and time when the switching protocols were last

started and how long they have been running.
Monitoring System Properties
145
Table 30: Summary of Key System Properties Output Fields (continued)

Field
Values
Last
Configured
Time
Date and time when a configuration was last

committed. This field also shows the name of the user
who issued the last commit command, through either
the J-Web interface or the CLI.
Load
Average
The CPU load average for 1, 5, and 15 minutes.
Storage Media
Internal
Flash
Memory
Memory usage details of internal flash.
External
Flash
Memory
Usage details of external flash memory.
Logged in Users Details
User
Username of any user logged in to the switching

platform.
Terminal
Terminal through which the user is logged in.
From
System from which the user has logged in. A hyphen

indicates that the user is logged in through the console.
Login Time
Time when the user logged in.
Idle Time
How long the user has been idle.
Related Topics
This is the LOGIN@ field in show system users command

output.
Monitoring System Process Information

Purpose
Action
Use the monitoring functionality to view the processes running on the switch.
To view the software processes running on the switch in the J-Web interface, select
Monitor>System View>Process Details.
To view the software processes running on the switch in the CLI, enter the following
command.
show system processes
Meaning
146
Table 31 on page 147 summarizes the output fields in the system process information
display.
Monitoring System Process Information
The display includes the total CPU load and total memory utilization.
Table 31: Summary of System Process Information Output Fields
Field
Values
PID
Identifier of the process.
Name
Owner of the process.
State
Current state of the process.
CPU Load
Percentage of the CPU that is being used by the

process.
Memory Utilization
Amount of memory that is being used by the

process.
Start Time
Time of day when the process started.
Related Topics
For more information about show system properties command, see show system
uptime
Rebooting or Halting the EX Series Switch (J-Web Procedure)

You can use the J-Web interface to schedule a reboot or to halt the switching platform.
To reboot or halt the switching platform by using the J-Web interface:
1.
In the J-Web interface, select Maintain>Reboot.
2.
Select one:
3.
Reboot ImmediatelyReboots the switching platform immediately.
Reboot in number of minutesReboots the switch in the number of minutes

from now that you specify.
Reboot when the system time is hour:minute Reboots the switch at the
absolute time that you specify, on the current day. You must select a 2-digit
hour in 24-hour format and a 2-digit minute.
Halt Immediately Stops the switching platform software immediately.

After the switching platform software has stopped, you can access the
switching platform through the console port only.
(Optional) In the Message box, type a message to be displayed to any users on

the switching platform before the reboot occurs.
Rebooting or Halting the EX Series Switch (J-Web Procedure)
147
Related Topics
4.
Click Schedule. The J-Web interface requests confirmation to perform the reboot
or halt.
5.
Click OK to confirm the operation.
If the reboot is scheduled to occur immediately, the switch reboots. You

cannot access the J-Web interface until the switch has restarted and the boot
sequence is complete. After the reboot is complete, refresh the browser
window to display the J-Web interface login page.
If the reboot is scheduled to occur in the future, the Reboot page displays
the time until reboot. You have the option to cancel the request by clicking
Cancel Reboot on the J-Web interface Reboot page.
If the switch is halted, all software processes stop and you can access the
switching platform through the console port only. Reboot the switch by
pressing any key on the keyboard.
Starting the J-Web Interface on page 68
Managing Users (J-Web Procedure)

You can use the Users Configuration page for user information to add new users to
a switching platform. For each account, you define a login name and password for
the user and specify a login class for access privileges.
To configure users:
1.
In the J-Web interface, select Configure>System Properties>User Management.

The User Management page displays details of users, the authentication order,
the RADIUS servers and TACACS servers present.
2.
Click Edit.
3.
Click any of the following options on the Users tab:
4.
148
AddSelect this option to add a user. Enter details as described in Table 32

on page 149.
EditSelect this option to edit an existing user's details. Enter details as

described in Table 32 on page 149.
DeleteSelect this option to delete a user.
Click any desired option on the Authentication Methods and Order tab:
Authentication OrderDrag and drop the authentication type from the

Available Methods section to the Selected Methods. Click the up or down
buttons to modify the authentication order.
RADIUS serverClick one:
AddSelect this option to add an authentication server. Enter details

as described in Table 33 on page 150.
EditSelect this option to modify the authentication server details. Enter

details as described in Table 33 on page 150.
DeleteSelect this option to delete an authentication server from the

list.
TACACS serverClick one:
AddSelect this option to add an authentication server. Enter details

as described in Table 33 on page 150.
EditSelect this option to modify the authentication server details. Enter

details as described in Table 33 on page 150.
DeleteSelect this option to delete an authentication server from the

list.
Table 32: User Management > Add a User Configuration Page Summary
Field
Function
Your Action
Username (required)
Specifies the name that identifies

the user.
Type the username. It must be unique within the switching

platform. Do not include spaces, colons, or commas in the
username.
User Id
Specifies the user identification.
Type the users ID.
Full Name
Specifies the user's full name.
Type the user's full name. If the full name contains spaces,
enclose it in quotation marks. Do not include colons or commas.
Login Class (required)
Defines the user's access privilege.
Select the user's login class from the list:
User Information
operator
read-only
super-user/superuser
unauthorized
This list also includes any user-defined login classes.

Password
Confirm Password
Specifies the login password for

this user.
Verifies the login password for this

user.
Type the login password for this user. The login password must
meet these criteria:
The password must be at least 6 characters long.
It can include alphabetic, numeric, and special characters,

but not control characters.
It must contain at least one change of case or character

class.
Retype the login password for this user.
149
Table 33: Add an Authentication Server

Field
Function
Your Action
IP Address
Specifies the IP address of the server.
Type the servers 32-bit IP address, in dotted

decimal notation.
Password
Specifies the password of the server.
Type the password of the server.
Confirm Password
Verifies that the password of the server is entered

correctly.
Retype the password of the server.
Server Port
Specifies the port with which the server is

associated.
Type the port number.
Source Address
Specifies the source address of the server.
Type the servers 32-bit IP address, in dotted

decimal notation.
Retry Attempts
Specifies the number of login retries allowed after

a login failure.
Type the number.

NOTE: Only 1 retry is permitted for a TACACS
server.
Time out
Specifies the time interval to wait before the

connection to the server is closed.
Related Topics
Type the interval in seconds.

page 133
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
You can use the J-Web interface to rotate log files and delete unnecessary log,
temporary, and crash files on the switching platform.
1. Cleaning Up Files on page 150
2. Downloading Files on page 151
3. Deleting Files on page 151
Cleaning Up Files
If you are running low on storage space, use the file cleanup procedure to quickly
identify files to delete.
The file cleanup procedure performs the following tasks:
150
Rotates log filesArchives the current log files, and creates fresh log files.
Deletes log files in /var/logDeletes files that are not currently being written to.
Deletes temporary files in /var/tmpDeletes files that have not been accessed
within two days.
Deletes all crash files in /var/crashDeletes core files that the switch has written
during an error.
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
To rotate log files and delete unnecessary files with the J-Web interface:
1.
Select Maintain>Files.
2.
In the Clean Up Files section, click Clean Up Files. The switching platform rotates
log files and identifies files that can be safely deleted.
The J-Web interface displays the files that you can delete and the amount of
space that will be freed on the file system.
3.
Click one:
To delete the files and return to the Files page, click OK.
To cancel your entries and return to the list of files in the directory, click
Cancel.
Downloading Files
You can use the J-Web interface to download a copy of an individual log, temporary,
or crash file from the switching platform. When you download a file, it is not deleted
from the file system.
To download files with the J-Web interface:
1.
In the J-Web interface, select Maintain>Files.
2.
In the Download and Delete Files section, click one:
Log FilesLog files in the /var/log directory on the switch.
Temporary FilesLists the temporary files in the /var/tmp directory on the

switching platform.
Jailed Temporary Files (Install, Session, etc)Lists the files in the /var/jail/tmp
directory on the switching platform.
Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files located in the directory.
3.
Select the files that you want to download and click Download.
4.
Choose a location for the saved file.

The file is saved as a text file, with a .txt file extension.
Deleting Files
You can use the J-Web interface to delete an individual log, temporary, and crash
file from the switching platform. When you delete the file, it is permanently removed
from the file system.
Downloading Files
151
CAUTION: If you are unsure whether to delete a file from the switching platform,
we recommend using the Clean Up Files tool described in Cleaning Up Files. This
tool determines which files can be safely deleted from the file system.
To delete files with the J-Web interface:
1.
Select Maintain>Files.
2.
In the Download and Delete Files section, click one:
Log FilesLists the log files in the /var/log directory on the switching
platform.
Temporary FilesLists the temporary files in the /var/tmp directory on the

switching platform.
Jailed Temporary Files (Install, Session, etc)Lists the files in the /var/jail/tmp
directory on the switching platform.
Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files in the directory.
3.
Select the box next to each file you plan to delete.
4.
Click Delete.
The J-Web interface displays the files you can delete and the amount of space
that will be freed on the file system.
5.
Click one of the following buttons on the confirmation page:
To delete the files and return to the Files page, click OK.
To cancel your entries and return to the list of files in the directory, click
Cancel.
Setting or Deleting the Rescue Configuration (CLI Procedure)

A rescue configuration is a well-known configuration that recovers a switch from a
configuration that denies management access. You set a current committed
configuration to be the rescue configuration through the J-Web interface or CLI.
If someone inadvertently commits a configuration that denies management access
to an EX Series switch and the console port is not accessible, you can overwrite the
invalid configuration and replace it with the rescue configuration by using the LCD
panel on the switch. The rescue configuration is a previously committed, valid
configuration. We recommend that the rescue configuration include the IP address
(accessible from the network) for the management port.
To set the current active configuration as the rescue configuration:
user@switch> request system configuration rescue save
152
Setting or Deleting the Rescue Configuration (CLI Procedure)
To delete an existing rescue configuration:

user@switch> request system configuration rescue delete
Related Topics
For information on show system configuration rescue, see the JUNOS Software
System Basics and Services Command Reference at
http://www.juniper.net/techpubs/software/junos/junos94/index.html .
Setting or Deleting the Rescue Configuration (J-Web Procedure)

A rescue configuration is a well-known configuration that recovers a switch from a
configuration that denies management access. You set a current committed
configuration to be the rescue configuration through the J-Web interface or CLI.
configuration. We recommend that the rescue configuration include the IP address
(accessible from the network) for the management port.
To view, set, or delete the rescue configuration using the J-Web interface, select
Maintain > Config Management >Rescue. On the Rescue page, you can perform the
following tasks:
Related Topics
View the current rescue configurationClick View rescue configuration.
Set the current running configuration as the rescue configurationClick Set

rescue configuration.
Delete the current rescue configurationClick Delete rescue configuration.
Setting or Deleting the Rescue Configuration (J-Web Procedure)
153
Reverting to the Rescue Configuration for the EX Series Switch

configuration.
You can also revert to the default factory configuration, as described in Reverting
to the Default Factory Configuration for the EX Series Switch on page 154.
Before you begin to revert to the rescue configuration:
Ensure that you have physical access to the switch.
A rescue configuration for the switch must have been previously set.
To revert the switch to the rescue configuration:

1.
At the LCD panel on the switch, press Menu until you see MAINTENANCE MENU.
2.
Press Enter.
3.
Press Menu until you see Load Rescue.
4.
Press Enter.
5.
When Commit Rescue is displayed, press Enter.

The LCD panel displays the message Commit Rescue in Progress. When the
reversion is complete, it displays the idle menu.
NOTE: If there is no rescue configuration saved on the switch, the message Commit
rescue failed is displayed.
Related Topics
LCD Panel in EX3200 and EX4200 Switches
LCD Panel in an EX8200 Switch
Reverting to the Default Factory Configuration for the EX Series Switch

If for any reason the current active configuration fails, you can revert to the default
factory configuration. You can also roll back to a previous configuration, as described
in Loading a Previous Configuration File (CLI Procedure) on page 112, or revert to
the rescue configuration, as described inReverting to the Rescue Configuration for
the EX Series Switch on page 154.
154
Reverting to the Rescue Configuration for the EX Series Switch
The default factory configuration contains the basic configuration settings. This is
the first configuration of the switch and it is loaded when the switch is first installed
and powered on.
You can revert to the default factory configuration by using the Menu button to the
right of the LCD on the front panel of the switch or by using the load factory default
configuration command.
Reverting to the Default Factory Configuration by Using the LCD Panel on page 155
Reverting to the Default Factory Configuration by Using the Load Factory Default
Command on page 156
Reverting to the Default Factory Configuration by Using the LCD Panel

To set the switch to the default factory configuration, use the LCD panel and buttons
on the front panel of the switch as shown in Figure 7 on page 155
Use the LCD panel to revert to the default factory configuration if you want to run
EZsetup. When you use the CLI to revert to the default factory configuration, the
configuration for the root password is retained and you cannot run EZSetup.
Figure 7: EX Series Switch LCD Panel
NOTE: If you want to convert an EX4200 switch from a member of a multimember

Virtual Chassis configuration to a standalone switch, first disconnect the cables
connected to the Virtual Chassis ports (VCPs). See Disconnecting a Virtual Chassis
Cable from an EX4200 Switch. The Menu button procedure deletes all modified
configuration parameters, including Virtual Chassis parameters such as member ID,
mastership priority, and setting of VCP uplinks.
1.
Press the Menu button until you see MAINTENANCE MENU on the panel.
2.
Press the Enter button.
3.
Press Menu until you see FACTORY DEFAULT.
4.
Press Enter. The display says RESTORE DEFAULT?
5.
Press Enter. The screen flashes FACTORY DEFAULT IN PROGRESS and returns to
the idle menu.
Reverting to the Default Factory Configuration by Using the LCD Panel
155
Reverting to the Default Factory Configuration by Using the Load Factory Default Command
The load factory default command is a standard JUNOS configuration command. This
configuration command replaces the current active configuration with the default
factory configuration.
Use the LCD panel to revert to the default factory configuration if you want to run
EZsetup. When you use the CLI to revert to the default factory configuration, the
configuration for the root password is retained and you cannot run EZSetup.
NOTE: The load factory default command by itself is not supported on EX4200 switches
configured in a Virtual Chassis with multiple members. In a multimember Virtual
Chassis configuration, you can revert to the default factory configuration while
retaining the Virtual Chassis parameters (member ID, mastership priority, or settings
of VCP uplinks) using the following procedure:
Related Topics
1.
[edit]
user@switch# load factory default
2.
[edit]
user@switch# delete system commit factory-settings
3.
[edit]
user@switch# commit
4.
Check the member ID and mastership priority with the show virtual-chassis status
command and check to see whether there are remaining settings for uplink VCPs
by using the show virtual-chassis vc-port command.
For more information about the load factory default command see the JUNOS
Software CLI User Guide at
Checking Active Alarms with the J-Web Interface

Purpose
Action
156
Use the monitoring functionality to view alarm information for the EX Series switches
including alarm type, alarm severity, and a brief description for each active alarm
on the switching platform.
To view the active alarms:
1.
Select Monitor> Events and Alarms > View Alarms in the J-Web interface.
2.
Select an alarm filter based on alarm type, severity, description, and date range.
Reverting to the Default Factory Configuration by Using the Load Factory Default Command
3.
Click Go.
All the alarms matching the filter are displayed.
NOTE: When the switch is reset, the active alarms are displayed.
Table 34 on page 157 lists the alarm output fields.
Meaning
Table 34: Summary of Key Alarm Output Fields

Field
Values
Type
Category of the alarm:
ChassisIndicates an alarm condition on the chassis (typically an environmental alarm such

as one related to temperature).
SystemIndicates an alarm condition in the system.
Severity
Alarm severityeither major (red) or minor (yellow).
Description
Brief synopsis of the alarm.
Time
Date and time when the failure was detected.
Related Topics
Monitoring System Log Messages on page 160
Dashboard for EX Series Switches on page 68
Understanding Alarm Types and Severity Levels on EX Series Switches on page

131
Monitoring Chassis Alarms for an EX8200 Switch

Purpose
This document provides information on chassis alarm conditions, and how you
should respond when a certain chassis alarm is seen on your switch.
Various conditions related to the chassis components trigger yellow and red alarms.
You cannot configure these conditions. See Understanding Alarm Types and Severity
Levels on EX Series Switches on page 131.
Action
You can monitor chassis alarms by watching the ALM chassis status LED and using
the LCD panel to gather information about the alarm. See Chassis Status LEDs in an
EX8200 Switch and LCD Panel in an EX8200 Switch.
To display switch chassis alarms in the CLI, use the following command
user@host> show chassis alarms
157
The command output displays the number of alarms currently active, the time when
the alarm began, the severity level, and an alarm description. Note the date and time
of an alarm so that you can correlate it with error messages in the messages system
log file.
You can also monitor chassis alarms using the J-Web interface. See Checking Active
Alarms with the J-Web Interface on page 156.
Table 1 lists some of the chassis alarms that an EX8200 switch can generate.
Table 35: Chassis Alarms for EX8200 Switches
Component
Alarm Condition
Remedy
Severity
Fan tray
The fan tray has been

removed from the
chassis.
Install the fan tray.
Yellow/Red
The switch will eventually get too

hot to operate if a fan tray is
removed. Temperature alarms
will follow.
This alarm is expected during fan
tray removal and installation.
Fan tray
One or more fans in a

fan tray is spinning
below the required
speed.
Replace the fan tray.
Red
Individual fans cannot be

replaced; you must replace the
fan tray.
Fan tray
The fan trays internal

connection to the
switch is not
functioning properly.
Remove and reinsert

the fan tray.
Red
The switch will eventually get too

hot to operate if a fan tray is not
operating. Temperature alarms
will follow.
A power supply slot

that contained a power
supply at bootup is
now empty.
Install a power supply

in the empty power
supply slot.
Yellow
You can ignore this alarm in cases

in which a power supply slot can
remain empty.
Power supply
If removing and
reinserting the fan tray
does not resolve the
problem, reboot the
switch.
You will not see this alarm if the

switch is booted with an empty
power supply slot.
This alarm is expected during
power supply removal and
installation.
This alarm can be triggered by a
line card insertion. The alarm
condition corrects itself when
seen for this reason.
Power supply
158
A power supply has

failed due to an input
or output failure, or
due to temperature
issues.
Replace the failed

power supply.
Red
Table 35: Chassis Alarms for EX8200 Switches (continued)

Power supply
Temperature
A power supplys
internal connection to
the switch is not
operating properly.
Remove and reinsert

the power supply.
The chassis warm

temperature threshold
has been exceeded and
fan speeds have
increased.
Adjust room
temperature
downward, if possible.
Red
If removing and
reinserting the power
supply does not resolve
the problem, reboot
the switch.
Yellow
Ensure airflow through

the switch is
unobstructed.
The chassis is warm and should

be cooled down. The switch is still
functioning normally.
To monitor temperature:
user@switch>show chassis
environment
To monitor temperature
thresholds:
temperature-thresholds
Temperature
The chassis high

has been exceeded and
the fans are operating
at full speed.
Adjust room
temperature
Red

the switch is
unobstructed.
The chassis is hot and should be

cooled down. The switch might
still function normally but is close
to shutting down if it hasnt
already.
environment
thresholds:
Temperature
The chassis warm

has been exceeded,
and one or more fans
are not operating
properly. The
operating fans are
running at full speed.
Replace the fan tray

that has the faulty fan
or fans.
Yellow
The chassis is warm and should

be cooled down. The switch is still
functioning normally.
Adjust room
temperature

the switch is
unobstructed.
thresholds: user@switch>show
environment
chassis temperature-thresholds
159
Table 35: Chassis Alarms for EX8200 Switches (continued)

Temperature
The chassis high

has been exceeded,
and one or more fans
is not operating
properly. The
operating fans are
running at full speed.
Replace the fan tray

that has the faulty fan
or fans.
Red
Adjust room
temperature
The chassis is hot and should be

cooled down. The switch might
still function normally but is close
to shutting down if it hasnt
already.
environment

the switch is
unobstructed.
thresholds:
Temperature
The temperature
sensor on a hardware
component has failed.
Replace the hardware

component.
Yellow
Routing Engine (RE),

Switch Fabric and
Routing Engine (SRE),
or Switch Fabric (SF)
module
The RE, SRE, or SF

module has failed.
The RE, SRE, or SF

module must be
replaced.
Red
Link Status
The link to the network

is down.
Check network
connectivity.
Red or
Yellow
Related Topics
The network link is disabled by

default, so you might see this
alarm before you connect the
switch to the network.
Chassis Status LEDs in an EX8200 Switch
Monitoring System Log Messages

Purpose
Action
Use the monitoring functionality to filter and view system log messages for EX Series
switches.
To view events in the J-Web interface, select Monitor > Events and Alarms > View
Events.
Apply a filter or a combination of filters to view messages. You can use filters to
display relevant events. Table 36 on page 161 describes the different filters, their
functions, and the associated actions.
To view events in the CLI, enter the following command:
show log
160
Table 36: Filtering System Log Messages

Field
Function
Your Action
System Log
File
Specifies the name of a system log file for which you want
to display the recorded events.
To specify events recorded in a particular file,

select the system log filename from the listfor
example, messages.
Lists the names of all the system log files that you configure.
By default, a log file, messages, is included in the /var/log/
directory.
Process
Select Include archived files to include archived

files in the search.
Specifies the name of the process generating the events you

want to display.
To specify events generated by a process, type

the name of the process.
To view all the processes running on your system, enter the

CLI command show system processes.
For example, type mgd to list all messages

generated by the management process.
For more information about processes, see the JUNOS

Software Installation and Upgrade Guide at
www.juniper.net/techpubs
Date From
Specifies the time period in which the events you want

displayed are generated.
To
Displays a calendar that allows you to select the year, month,
day, and time. It also allows you to select the local time.
By default, the messages generated in the last hour are
displayed. End Time shows the current time and Start Time
shows the time one hour before End Time.
Event ID
Specifies the event ID for which you want to display the

messages.
To specify the time period:
Click the Calendar icon and select the year,

month, and datefor example, 02/10/2007.
Click the Calendar icon and select the year,

month, and datefor example, 02/10/2007.
Click to select the time in hours, minutes,

and seconds.
To specify events with a specific ID, type the

partial or complete IDfor example,
TFTPD_AF_ERR.
Allows you to type part of the ID and completes the

remainder automatically.
An event ID, also known as a system log message code,
uniquely identifies a system log message. It begins with a
prefix that indicates the generating software process or
library.
Description
Specifies text from the description of events that you want

to display.
Allows you to use regular expressions to match text from the
event description.
Search
To specify events with a specific description,

type a text string from the description with
regular expression.
NOTE: Regular expression matching is case-sensitive.
For example, type ^Initial* to display all

messages with lines beginning with the term
Initial.
Applies the specified filter and displays the matching

messages.
To apply the filter and display messages, click

Search.
Meaning
Table 37 on page 162 describes the Event Summary fields.
161
NOTE: By default, the View Events page in the J-Web interface displays the most
recent 25 events, with severity levels highlighted in different colors. After you specify
the filters, Event Summary displays the events matching the specified filters. Click
the First, Next, Prev, and Last links to navigate through messages.
Table 37: Viewing System Log Messages

Field
Function
Process
Displays the name and ID of the process that generated

the system log message.
The information displayed in this field is different for

messages generated on the local Routing Engine than
for messages generated on another Routing Engine
(on a system with two Routing Engines installed and
operational). Messages from the other Routing Engine
also include the identifiers re0 and re1 to identify the
Routing Engine.
Severity
Severity level of a message is indicated by different

colors.
A severity level indicates how seriously the triggering

event affects switch functions. When you configure a
location for logging a facility, you also specify a
severity level for the facility. Only messages from the
facility that are rated at that level or higher are logged
to the specified file.
Event ID
UnknownGrayIndicates no severity level is

specified.
Debug/Info/NoticeGreenIndicates conditions
that are not errors but are of interest or might
warrant special handling.
WarningYellowIndicates conditions that

warrant monitoring.
ErrorBlueIndicates standard error conditions

that generally have less serious consequences than
errors in the emergency, alert, and critical levels.
CriticalPinkIndicates critical conditions, such

as hard-drive errors.
AlertOrangeIndicates conditions that require

immediate correction, such as a corrupted system
database.
EmergencyRedIndicates system panic or other

conditions that cause the switch to stop
functioning.
Displays a code that uniquely identifies the message.

The prefix on each code identifies the message source,
and the rest of the code indicates the specific event or
error.
The event ID begins with a prefix that indicates the

generating software process.
Some processes on a switch do not use codes. This
field might be blank in a message generated from such
a process.
An event can belong to one of the following type
categories:
162
ErrorIndicates an error or failure condition that

might require corrective action.
EventIndicates a condition or occurrence that

does not generally require corrective action.
Table 37: Viewing System Log Messages (continued)

Field
Function
Event
Description
Displays a more detailed explanation of the message.
Time
Displays the time at which the message was logged.
Related Topics
Understanding Alarm Types and Severity Levels on EX Series Switches on page

131
163
164
Chapter 12
Troubleshooting Loss of the Root Password on page 165
Troubleshooting Loss of the Root Password

Problem
If you forget the root password for the switch, you can use the password recovery
procedure to reset the root password.
NOTE: You need physical access to the switch to recover the root password.
Solution
To recover the root password:

1.
Power off your switch by unplugging the power cord or turning off the power at
the wall switch.
2.
Insert one end of the Ethernet cable into the serial port on the management
device and connect the other end to the console port on the back of the switch.
See Figure 8 on page 165
Figure 8: Connecting to the Console Port on the EX Series Switch
3.
On the management device, start your asynchronous terminal emulation

application (such as Microsoft Windows Hyperterminal) and select the appropriate
COM port to use (for example, COM1).
4.
Configure the port settings as follows:
165
Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
5.
Power on your switch by plugging in the power cord or turning on the power at
the wall switch.
6.
When the following prompt appears, press the Spacebar to access the switch's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second...
7.
At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s
8.
At the following prompt, type recovery to start the root password recovery
procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for
/bin/sh: recovery
A series of messages describe consistency checks, mounting of filesystems, and

initialization and checkout of management services. Then the CLI prompt appears.
9.
Enter configuration mode in the CLI:

10. Set the root password. For example:
user@switch# set system root-authentication plain-text-password

11. At the following prompt, enter the new root password. For example:
New password: juniper1

Retype new password:
12. At the second prompt, reenter the new root password.

13. If you are finished configuring the network, commit the configuration.
root@switch# commit
commit complete
14. Exit configuration mode in the CLI.
root@switch# exit
15. Exit operational mode in the CLI.
root@switch> exit
16. At the prompt, enter y to reboot the switch.
Reboot the system? [y/n] y
166
Chapter 12: Troubleshooting Basic System Functions
Related Topics
For information about configuring an encrypted root password, configuring SSH

keys to authenticate root logins, and configuring special requirements for
plain-text passwords, see the JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/.
167
168
Chapter 13
Operational Mode Commands for Basic

System Functions
169
clear snmp rmon history

Syntax
Release Information
Description
clear snmp rmon history <interface-name | all>
Command introduced in JUNOS Release 9.0 for EX Series switches.

Delete the samples of Ethernet statistics collected, but do not delete the RMON history
configuration.
The clear snmp rmon history command deletes all the samples collected for the
interface configured for the history group, but not the configuration of that group. If
you want to delete the RMON history group configuration, you must use the delete
snmp rmon history configuration-mode command.
Options
interface-nameDelete the samples of Ethernet statistics collected for this interface.

allDelete the samples of Ethernet statistics collected for all interfaces that have
been configured for RMON monitoring.

Required Privilege Level
Related Topics
170
clear
show snmp rmon history
Chapter 13: Operational Mode Commands for Basic System Functions

Syntax
Release Information
Description
Options

<history-index>
<sample-index>

Display the contents of the RMON history group.
noneDisplay all the entries in the RMON history group.
history-index(Optional) Display the contents of the specified entry in the RMON
history group.
sample-index(Optional) Display the statistics collected for the specified sample
within the specified entry in the RMON history group.

Related Topics
List of Sample Output
Output Fields
view
show snmp rmon history 1 on page 172

show snmp rmon history 1 sample 15 on page 173
Table 38 on page 171 lists the output fields for the show smp rmon history command.
Output fields are listed in the approximate order in which they appear.
Table 38: show smp rmon history Output Fields

Field Name
Field Description
History Index
Identifies this RMON history entry within the RMON history group.
Owner
The entity that configured this entry. Range is 0 to 32 alphanumeric characters.
Status
The status of the RMON history entry.
Interface or Data
Source
The ifndex object that identifies the interface that is being monitored.
Interval
The interval (in seconds) configured for this RMON history entry.
Buckets Requested
The requested number of buckets (intervals) configured for this RMON history
entry.
Buckets Granted
The number of buckets granted for this RMON history entry.
171
Table 38: show smp rmon history Output Fields (continued)

Field Name
Field Description
Sample Index
The sample statistics taken at the specified interval.
Drop EventsNumber of packets dropped by the input queue of the I/O
Manager ASIC. If the interface is saturated, this number increments once

for every packet that is dropped by the ASIC's RED mechanism.
OctetsTotal number of octets and packets. For Gigabit Ethernet IQ PICs,
the received octets count varies by interface type.
PacketsTotal number of packets.
Broadcast PacketsNumber of broadcast packets.
Multicast PacketsNumber of multicast packets.
CRC errorsTotal number of packets received that had a length (excluding
framing bits, but including FCS octets) of between 64 and 1518 octets,
inclusive, and had either a bad FCS with an integral number of octets (FCS
error) or a bad FCS with a nonintegral number of octets (alignment error).
Undersize PktsNumber of packets received during this sampling interval
that were less than 64 octets long (excluding framing bits but including
FCS octets) and were otherwise well formed.
Oversize PktsNumber of packets received during the sampling interval
that were longer than 1518 octets (excluding framing bits, but including
FCS octets) but were otherwise well formed.
FragmentsTotal number of packets that were less than 64 octets in length
(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. Fragment frames normally increment because
both runts (which are normal occurrences caused by collisions) and noise
hits are counted.
JabbersNumber of frames that were longer than 1518 octets (excluding
framing bits, but including FCS octets), and had either an FCS error or an
alignment error. This definition of jabber is different from the definition
in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2).
These documents define jabber as the condition in which any packet
exceeds 20 ms. The allowed range to detect jabber is from 20 ms to
150 ms.
CollisionsNumber of Ethernet collisions. The Gigabit Ethernet PIC
supports only full-duplex operation, so for Gigabit Ethernet PICs, this

number should always remain 0. If it is nonzero, there is a software bug.
Utilization(%)The best estimate of the mean physical layer network
utilization on this interface during this sampling interval, in hundredths

of a percent.

1
user@host> show snmp rmon history 1

History Index 1:
Interface
Requested Buckets
Interval
171
50
10
Sample Index 1: Interval Start: Tue Feb 12 04:12:32 2008

Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2
172
Chapter 13: Operational Mode Commands for Basic System Functions
CRC errors
Undersize Pkts
Oversize Pkts
Fragments
Jabbers
Collisions
Utilization(%)
0
0
0
0
0
0
0

Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2
CRC errors
0
Undersize Pkts
0
Oversize Pkts
0
Fragments
0
Jabbers
0
Collisions
0
Utilization(%)
0
Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2
CRC errors
0
Undersize Pkts
0
Oversize Pkts
0
Fragments
0
Jabbers
0
Collisions
0
Utilization(%)
0

1 sample 15
user@host> show snmp rmon history 1 sample 15

Index 1
Owner
= monitor
Status
= valid
Data Source = ifIndex.17
Interval
= 1800
Buckets Requested = 50
Buckets Granted = 50
Sample Index 44: Interval Start: Thu Jan

Drop Events
= 0
Octetes
= 0
Packets
= 0
Broadcast Pkts = 0
Multicast Pkts = 0
CRC Errors = 0
Undersize Pkts = 0
Oversize Pkts = 0
Fragments = 0
Jabbers
= 0
Collisions = 0
Utilization (%) = 0
1 00:08:35 1970
173
174
Part 6
Virtual Chassis
Understanding Virtual Chassis on page 177
Examples of Configuring Virtual Chassis on page 203
Configuring Virtual Chassis on page 265
Verifying Virtual Chassis on page 285
Troubleshooting Virtual Chassis on page 295
Configuration Statements for Virtual Chassis on page 297
Operational Mode Commands for Virtual Chassis on page 311
Virtual Chassis
175
176
Virtual Chassis
Chapter 14
Understanding How the Master in a Virtual Chassis Configuration Is

Elected on page 184
Understanding Software Upgrade in a Virtual Chassis Configuration on page 184
Understanding Global Management of a Virtual Chassis Configuration on page 185
Understanding Nonvolatile Storage in a Virtual Chassis Configuration on page 188
Understanding the High-Speed Interconnection of the Virtual Chassis

Members on page 188
Understanding Virtual Chassis Configuration on page 190
Understanding Virtual Chassis EX4200 Switch Version Compatibility on page 191
Understanding Fast Failover in a Virtual Chassis Configuration on page 191
Understanding Split and Merge in a Virtual Chassis Configuration on page 198
Virtual Chassis Overview

The Juniper Networks EX4200 Ethernet Switch is the basis for the Virtual Chassis
flexible, scaling switch solution. You can connect individual EX4200 switches together
to form one unit and manage the unit as a single chassis, called a Virtual Chassis.
Up to ten EX4200 switches can be interconnected, providing up to a total of 480
access ports. The available bandwidth increases as you include more members within
the Virtual Chassis configuration. See Understanding the High-Speed Interconnection
of the Virtual Chassis Members on page 188.
Basic Configuration of a Virtual Chassis with Master and Backup

Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring

Closets on page 178
Global Management of Member Switches in a Virtual Chassis on page 178
High Availability Through Redundant Routing Engines on page 179
Adaptability as an Access Switch or Distribution Switch on page 179
177
Basic Configuration of a Virtual Chassis with Master and Backup Switches

To take advantage of the Virtual Chassis configurations higher bandwidth capacity
and software redundancy features, you need to interconnect at least two EX4200
switches in a Virtual Chassis configuration. You can start with a default configuration,
composed of two EX4200 member switches interconnected through the dedicated
64-Gbps Virtual Chassis ports (VCPs) on their rear panels. These ports do not have to
be configured. They are operational as soon as the member switches are powered
on. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single
Wiring Closet on page 203 for additional information.
Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring Closets

As your needs grow, you can easily expand the Virtual Chassis configuration to include
more member switches. Within a single wiring closet, simply add member switches
by cabling together the dedicated VCPs. For more information about expanding
Virtual Chassis configurations within a single wiring closet, see Example: Expanding
a Virtual Chassis Configuration in a Single Wiring Closet on page 208 and Example:
Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration
on page 214.
You can also expand a Virtual Chassis configuration beyond a single wiring closet.
Interconnect switches located in multiple wiring closets or in multiple data center
racks by installing the optional SFP, SFP+, or XFP uplink modules and connecting
the uplink module ports or by connecting the 1-gigabit network interfaces in an
EX4200-24F switch. The small form-factor pluggable (SFP) uplink module provides
four ports for 1-gigabit transceivers. The SFP+ uplink module provides two ports
for 10-gigabit SFP+ transceivers or four ports for 1-gigabit SFP transceivers. The
XFP uplink module provides two ports for 10-gigabit XFP transceivers. To use SFP,
SFP+, and XFP uplink module ports or EX4200-24F network interfaces for
interconnecting member switches, you must first explicitly configure them as Virtual
Chassis ports (VCPs). This procedure includes configuring these ports of a standalone
EX4200 switch as VCPs prior to interconnecting the new member switch with the
existing Virtual Chassis configuration. See Example: Configuring a Virtual Chassis
Interconnected Across Multiple Wiring Closets on page 219 for detailed information.
When you are creating a Virtual Chassis configuration with multiple members, you
might want to deterministically control the role and member ID assigned to each
member switch. You can do this by creating a preprovisioned configuration. See
Example: Configuring a Virtual Chassis Using a Preprovisioned Configuration File
on page 239 for more information.
You can add switches to a preprovisioned configuration by using the autoprovisioning
feature to automatically configure the uplink module ports as VCPs on the switches
being added. See Adding a New Switch to an Existing Virtual Chassis Configuration
(CLI Procedure) on page 270 for detailed information.
Global Management of Member Switches in a Virtual Chassis

The interconnected member switches in a Virtual Chassis configuration operate as
a single network entity. You run EZSetup only once to specify the identification
178
Chapter 14: Understanding Virtual Chassis
parameters for the master, and these parameters implicitly apply to all members of
the Virtual Chassis configuration. You can view the Virtual Chassis configuration as
a single device in the J-Web user interface and apply various device management
functions to all members of the Virtual Chassis configuration.
The serial console port and dedicated out-of-band management port that are on the
rear panel of the individual switches have global virtual counterparts when the
switches are interconnected in a Virtual Chassis configuration. A virtual console
allows you to connect to the master by connecting a terminal directly to the console
port of any member switch. A virtual management Ethernet (VME) interface allows
you to remotely manage the Virtual Chassis configuration by connecting to the
out-of-band management port of any member switch through a single IP address.
See Understanding Global Management of a Virtual Chassis Configuration on page
185.
High Availability Through Redundant Routing Engines

A Virtual Chassis configuration has a master and a backup, each of which has a
Routing Engine. These redundant Routing Engines handle all routing protocol
processes and control the Virtual Chassis configuration. See High Availability Features
for EX Series Switches Overview on page 17 for further information on redundant
Routing Engines and additional high availability features.
Adaptability as an Access Switch or Distribution Switch

A Virtual Chassis configuration supports a variety of user environments, because it
can be composed of different models of EX4200 switches, with either 24 or 48 access
ports, and with these having either full (24 or 48 ports) or partial (8 ports) Power
over Ethernet (PoE) port capabilities. You can select different switch models to support
various functions. For example, you might set up one Virtual Chassis access switch
configuration composed of the full PoE models to support users sitting in cubicles
equipped with PCs and VoIP phones. You could set up another Virtual Chassis
configuration with partial PoE models to support the company's internal servers and
configure one more Virtual Chassis configuration with partial PoE models to support
the company's external servers. Alternatively, the Virtual Chassis configuration can
be used as a distribution switch. For this type of deployment, you might select the
EX4200-24F model to connect the distribution switch to multiple access switches
located in different buildings on the campus.
Related Topics
Understanding How the Master in a Virtual Chassis Configuration Is Elected on

page 184
Understanding Virtual Chassis EX4200 Switch Version Compatibility on page 191
179
Understanding Virtual Chassis Components

A Virtual Chassis configuration allows you to interconnect two to ten Juniper Networks
EX4200 Ethernet Switches and run them as a single network entity. While it is true
that you need at least two interconnected switches to take advantage of Virtual
Chassis features, it is also true that any individual EX4200 switch has some Virtual
Chassis components.
This topic covers:
Virtual Chassis Ports (VCPs) on page 180
Master Role on page 180
Backup Role on page 181
Linecard Role on page 181
Member Switch and Member ID on page 182
Mastership Priority on page 182
Virtual Chassis Identifier (VCID) on page 183
Virtual Chassis Ports (VCPs)

There are two dedicated Virtual Chassis ports (VCPs) on the rear panel of the EX4200
switch that are used exclusively to interconnect EX4200 switches in a Virtual Chassis
configuration. The interfaces for these dedicated ports are operational by default
when the ports are properly cabled. For an example of two EX4200 switches
interconnected with their dedicated VCPs, see Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 203. In addition, you
can interconnect the switch with another EX4200 switch across a wider distance by
installing an optional SFP, SFP+, or XFP uplink module in an EX4200 switch or by
using the network interfaces in an EX4200-24F switch. To do this using uplink module
ports, you need to install one uplink module in at least one EX4200 switch at each
end of the link. You must set the uplink module ports or the EX4200-24F network
interfaces to function as VCPs in order for the interconnected switches to be
recognized as members of the same Virtual Chassis configuration. This procedure
includes setting the uplink module ports or EX4200-24F network ports of a standalone
EX4200 switch as VCPs prior to interconnecting the new member switch with the
existing Virtual Chassis configuration. For an example of EX4200 switches
interconnected with the uplink ports functioning as VCPs, see Example: Configuring
a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 219.
You can display the status of both the dedicated VCP interfaces and the uplink ports
configured as VCP interfaces with the show virtual-chassis vc-port command.
Master Role
The member that functions in the master role:
180
Manages the member switches.
Runs Juniper Networks JUNOS Software for Juniper Networks EX Series Ethernet
Switches in a master role.
Runs the chassis management processes and control protocols.
Represents all the member switches interconnected within the Virtual Chassis
configuration. (The hostname and other properties that you assign to this switch
during setup apply to all members of the Virtual Chassis configuration.)
When an EX4200 switch is powered on as a standalone switch, it is considered the

master member. In a multimember Virtual Chassis configuration, one member
functions as the master and a second member functions as the backup:
In a preprovisioned configuration, one of the two members assigned as

routing-engine functions as the master member. The selection of which member
assigned as routing-engine functions as master and which as backup is determined
by the software based on the master election algorithm. See Understanding
How the Master in a Virtual Chassis Configuration Is Elected on page 184.
In a configuration that is not preprovisioned, the selection of the master and

backup is determined by the mastership priority value and secondary factors in
the master election algorithm.
Backup Role
The member that functions in the backup role:
Maintains a state of readiness to take over the master role if the master fails.
Runs JUNOS Software for EX Series switches in a backup role.
Synchronizes with the master in terms of protocol states, forwarding tables, and
so forth, so that it is prepared to preserve routing information and maintain
network connectivity without disruption in case the master is unavailable.
You must have at least two member switches in a Virtual Chassis configuration in
order to have a backup member.
In a preprovisioned configuration, one of the two members assigned as

routing-engine functions in the backup role. The selection of which member
assigned as routing-engine functions as master and which as backup is determined
by the software based on the master election algorithm. See Understanding
How the Master in a Virtual Chassis Configuration Is Elected on page 184.
In a configuration that is not preprovisioned, the selection of the master and

backup is determined by the mastership priority value and secondary factors in
the master election algorithm.
Linecard Role
A member that functions in the linecard role:
Runs only a subset of JUNOS Software for EX Series switches.
181
Does not run the chassis control protocols.
Can detect certain error conditions (such as an unplugged cable) on any interfaces
that have been configured on it through the master.
A Virtual Chassis configuration must have at least three members in order to include
a linecard member.
In a preprovisioned configuration, you can explicitly configure a member with

the role of linecard, which makes it ineligible for functioning as a master or
backup.
In a configuration that is not preprovisioned, the members that are not selected
as master or backup function as linecard members of the Virtual Chassis
configuration. The selection of the master and backup is determined by the
mastership priority value and secondary factors in the master election algorithm.
Member Switch and Member ID

Each physically discrete EX4200 switch is a potential member of a Virtual Chassis
configuration. When an EX4200 switch is powered on, it receives a member ID that
is displayed on the front-panel LCD. If the switch is powered on as a standalone
switch, its member ID is always 0. When the switch is interconnected with other
EX4200 switches in a Virtual Chassis configuration, its member ID (0 through 9) is
assigned by the master based on various factors, such as the order in which the
switch was added to the Virtual Chassis configuration. As each switch is added and
powered on, it receives the next available (unused) member ID.
If the Virtual Chassis configuration previously included a member switch and that
member was physically disconnected or removed from the Virtual Chassis
configuration, its member ID is not available for assignment as part of the standard
sequential assignment by the master. For example, you might have a Virtual Chassis
configuration composed of member 0, member 2, and member 3, because member
1 was removed. When you add another member switch and power it on, the master
assigns it as member 4. However, you can use the request virtual-chassis renumber
command to explicitly change the member ID of the new member switch to use
member ID 1.
The member ID distinguishes the member switches from one another. You use the
member ID:
To assign a mastership priority value to a member switch
To configure interfaces for a member switch (the function is similar to a slot

number on Juniper Networks routers)
To apply some operational commands to a member switch
To display status or characteristics of a member switch
Mastership Priority
In a configuration that is not preprovisioned, you can designate the role (master,
backup, or linecard) that a member switch performs within the Virtual Chassis
182
configuration by configuring its mastership priority (from 1 to 255). The mastership

priority value is the factor with the highest precedence for selecting the master of
the Virtual Chassis configuration.
The default value for mastership priority is 128. When an EX4200 switch is powered
on, it receives the default mastership priority value. Because it is the only member
of the Virtual Chassis configuration, it is also the master. When you interconnect a
standalone switch to an existing Virtual Chassis configuration (which implicitly
includes its own master), we recommend that you explicitly configure the mastership
priority of the members that you want to function as the master and backup.
We recommend that you specify the same mastership priority value for both the
master and backup members.
NOTE: Configuring the same mastership priority value for both the master and backup
helps to ensure a smooth transition from master to backup in case the master
becomes unavailable. It prevents the old master from preempting control from the
backup in situations where the backup has taken control of the Virtual Chassis
configuration due to the original master being unavailable.
We also recommend that you configure the highest possible mastership priority value
(255) for those two members, because that guarantees that these two members
continue to function as the master and backup when other members are added to
the Virtual Chassis configuration. Any other members of the Virtual Chassis
configuration (members with lower mastership priority) are considered linecard
members.
In a preprovisioned configuration, the mastership priority value is assigned by the
software, based on the specified role.
Virtual Chassis Identifier (VCID)

All members of a Virtual Chassis configuration share one Virtual Chassis identifier
(VCID). This identifier is derived from internal parameters. When you are monitoring
a Virtual Chassis configuration, the VCID is displayed in the user interface.
Related Topics


Closets on page 219

File on page 239
Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page
276
Command Forwarding Usage with a Virtual Chassis Configuration on page 285
183
Understanding How the Master in a Virtual Chassis Configuration Is Elected

All switches that are interconnected in a Virtual Chassis configuration are member
switches of that Virtual Chassis. Each Virtual Chassis configuration has one member
that functions as the master and controls the Virtual Chassis configuration.
When a Virtual Chassis configuration boots, the Juniper Networks JUNOS Software
for Juniper Networks EX Series Ethernet Switches automatically runs a master election
algorithm to determine which member switch takes the role of master.
The algorithm that the software uses to determine the master is as follows:
1.
Choose the member with the highest user-configured mastership priority (255
is the highest possible value).
2.
Choose the member that was master the last time the Virtual Chassis
configuration booted.
3.
Choose the member that has been included in the Virtual Chassis configuration
for the longest period of time. (For this to be a deciding factor, there has to be
a minimum time lapse of one minute between the power-ons of the individual
interconnected member switches.)
4.
Choose the member with the lowest MAC address.
The variations among switch models, such as whether the switch has 48 or 24 ports,
do not impact the master election algorithm. To ensure that a specific member is
elected as the master:
Related Topics
1.
Power on only the switch that you want to configure as master of the Virtual
Chassis configuration.
2.
Configure the mastership priority of that member to have the highest possible
value (255).
3.
Continue to configure other members through the master member, as desired.
4.
Power on the other members.
Understanding Software Upgrade in a Virtual Chassis Configuration

A Virtual Chassis configuration can be composed of multiple Juniper Networks EX4200
Ethernet Switches and each member switch is running Juniper Networks JUNOS
Software packages. For ease of management, the Virtual Chassis configuration
provides flexible methods to upgrade software releases.
A new software release can be upgraded to the entire Virtual Chassis configuration
or to a particular member in the Virtual Chassis configuration through a CLI or J-Web
184
Understanding How the Master in a Virtual Chassis Configuration Is Elected
command. A user can add software packages to either a single member of the Virtual
Chassis configuration or to all members of the Virtual Chassis configuration at the
same time.
Related Topics

Understanding Global Management of a Virtual Chassis Configuration

A Virtual Chassis configuration is composed of multiple Juniper Networks EX4200
Ethernet Switches, so it has multiple console ports and multiple out-of-band
management Ethernet ports located on the rear panels of the switches.
You can connect a PC or laptop directly to a console port of any member switch to
set up and configure the Virtual Chassis. When you connect to the console port of
any member switch, the console session is redirected to the master switch, as shown
in Figure 9 on page 186.
185
Figure 9: Console Session Redirection
If the master becomes unavailable, the console session is disconnected from the old
master and a new session is established with the newly elected master.
An out-of-band management Ethernet port is often referred to simply as a
management Ethernet port. It uses a dedicated management channel for device
maintenance and allows a system administrator to monitor and manage the switch
by remote control.
The Virtual Chassis configuration can be managed remotely through SSH or Telnet
using a global management interface called the virtual management Ethernet (VME)
interface. VME is a logical interface representing any and all of the out-of-band
management ports on the member switches. When you connect to the Virtual Chassis
configuration using the VME IP address, the connection is redirected to the master
member as shown in Figure 10 on page 187.
186
Figure 10: Management Ethernet Port Redirection to VME
If the master management Ethernet link is unavailable, the session is redirected

through the backup management Ethernet link. If there is no active management
Ethernet link on the backup, the VME interface chooses a management Ethernet link
on one of the linecard members, selecting the linecard member with the lowest
member ID as its first choice.
You can configure an IP address for the VME global management interface at any
time.
You can perform remote configuration and administration of all members of the
Virtual Chassis configuration through the VME interface.
Related Topics

187
Configuring the Virtual Management Ethernet Interface for Global Management

of a Virtual Chassis (CLI Procedure) on page 279
Understanding Nonvolatile Storage in a Virtual Chassis Configuration

The Juniper Networks EX4200 Ethernet Switch stores JUNOS system files in internal
flash memory. In a Virtual Chassis configuration, both the master and the backup
switch store the configuration information for all the member switches.
Nonvolatile Memory Features on page 188
Nonvolatile Memory Features

The Juniper Networks JUNOS Software for Juniper Networks EX Series Ethernet
Switches optimizes the way the Virtual Chassis stores its configuration if a member
switch or the Virtual Chassis configuration is shut down improperly:
Related Topics
If the master is not available, the backup switch takes on the role of the master
and its internal flash memory takes over as the alternate location for maintaining
nonvolatile configuration memory.
If a member switch is taken offline for repair, the master stores the configuration
of the member switch.
Understanding the High-Speed Interconnection of the Virtual Chassis Members

Two high-speed Virtual Chassis ports (VCPs) on the rear panel of the Virtual Chassis
member switches enable the members to be interconnected and operate as a single,
powerful switch. Each VCP interface is 32 Gbps bidirectional. When VCP interfaces
are used to form a ring topology, each segment provides 64 Gbps bidirectional
bandwidth. Because the VCP links act as point-to-point links, multiple segments of
the ring can be used simultaneously. This allows the Virtual Chassis configuration
bandwidth to scale as you interconnect more members within the ring topology.
Related Topics
Virtual Chassis Cabling Configuration Examples for EX4200 Switches
Understanding Virtual Chassis Configurations and Link Aggregation

You can combine physical Ethernet ports belonging to different member switches
of a Virtual Chassis configuration to form a logical point-to-point link, known as a
link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single
Ethernet link can provide. Additionally, link aggregation provides network redundancy
by load-balancing traffic across all available links. If one of the links fails, the system
automatically load-balances traffic across all remaining links.
188
Understanding Nonvolatile Storage in a Virtual Chassis Configuration
You can select up to four uplink module ports or SFP network ports on an EX4200-24F
switch that have been configured as Virtual Chassis ports (VCPs) to form a LAG. When
you set uplink module ports or SFP network ports on Virtual Chassis member switches
as uplink VCPs, connect at least two of those uplink VCPs on one member to at least
two uplink VCPs on another member, and configure those uplink VCPs to operate
at the same link speed, the uplink VCPs automatically form a LAG and each LAG is
assigned a positive-integer identifier called a trunk ID.
A LAG over uplink VCPs provides higher overall bandwidth for forwarding traffic
between the member switches connected by the uplink VCPs, faster management
communications, and greater redundancy of operations among the members than
would be available without the LAG. All Juniper Networks EX4200 Ethernet Switches
have two dedicated VCPs. A LAG over uplink VCPs provides an additional Virtual
Chassis link throughput of 20 Gbps for the EX4200-24P, EX4200-24T, EX4200-48P,
and EX4200-48T models and additional throughput of 28 Gbps for the EX4200-24F
model. Up to eight Virtual Chassis LAGs can be created per member.
See Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page
276 for information about configuring uplink module ports and SFP network ports on
EX4200-24F switches as uplink VCPs.
To verify that the LAG has been created, view the output of the command show
virtual-chassis vc-port.
NOTE: The interfaces that are included within a bundle or LAG are sometimes referred
to as member interfaces. Do not confuse this term with member switches, which refers
to EX4200 switches that are interconnected as a Virtual Chassis. It is possible to
create a LAG that is composed of member interfaces that are located in different
member switches of a Virtual Chassis.
Related Topics
Understanding Aggregated Ethernet Interfaces and LACP on page 343
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 227

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
on page 234

Closets on page 219
Example: Configuring Link Aggregation Groups Using Uplink Virtual Chassis Ports
on page 256
Understanding Virtual Chassis Configurations and Link Aggregation
189
Understanding Virtual Chassis Configuration

You configure and manage almost all aspects of a Virtual Chassis configuration
through the master of the Virtual Chassis. However, you can also configure Virtual
Chassis parameters when a Juniper Networks EX4200 Ethernet Switch is a standalone
switch not interconnected with other members.
An EX4200 switch has some innate characteristics of a Virtual Chassis by default. A
standalone EX4200 switch is assigned member ID 0 and is the master of itself.
Therefore, you can edit its Virtual Chassis configuration. When the standalone switch
is interconnected with an existing Virtual Chassis configuration, the Virtual Chassis
configuration statements and any uplink Virtual Chassis port (VCP) settings that you
previously specified on the standalone switch remain part of its configuration.
A switch is not recognized as a member of a Virtual Chassis until it is interconnected
with the master or interconnected with an existing member of the Virtual Chassis.
When a switch is located too far away to be interconnected through dedicated VCPs,
you can specify an uplink module port or an EX4200-24F network interface as a VCP
by using the request virtual-chassis vc-port command. You must issue the request
virtual-chassis vc-port command on the switch you are adding to the Virtual Chassis
as well as on the existing member switch that you will connect to the new member.
Because the to-be-added switch is not yet a member, the master switch will not
recognize that added switch unless the latter has an uplink VCP. A link aggregation
group (LAG) will be formed automatically when the new switch is added to the
configuration if more than one such link with the same speed is detected between
uplink VCPs on the new member and an existing member. See Understanding
Virtual Chassis Configurations and Link Aggregation on page 188.
When an uplink module port or an EX4200-24F network interface is set as a VCP, it
cannot be used for any additional purpose. If you want to use the uplink module port
or EX4200-24F network interface for another purpose, you can delete the VCP setting
by using the request virtual-chassis vc-port command. You can execute this command
directly on the member whose uplink VCP setting you want to delete or through the
master of the Virtual Chassis configuration.
CAUTION: Deleting a VCP in a Virtual Chassis chain configuration can cause the
Virtual Chassis configuration to split. For more information, see Understanding Split
and Merge in a Virtual Chassis Configuration on page 198.
You can create a preprovisioned configuration. This type of configuration allows you
to deterministically control the member ID and role assigned to a member switch
by associating the switch with its serial number. For an example of a preprovisioned
configuration, see Example: Configuring a Virtual Chassis Using a Preprovisioned
Configuration File on page 239.
190
Understanding Virtual Chassis Configuration
NOTE: If an EX4200 switch is interconnected with other switches in a Virtual Chassis

configuration, each individual switch that is included as a member of the configuration
is identified with a member ID. The member ID functions as an FPC slot number.
When you are configuring interfaces for a Virtual Chassis configuration, you specify
the appropriate member ID (0 through 9) as the slot element of the interface name.
The default factory settings for a Virtual Chassis configuration include FPC 0 as a
member of the default VLAN because FPC 0 is configured as part of the
ethernet-switching family. In order to include FPC 1 through FPC 9 in the default
VLAN, add the ethernet-switching family to the configurations for those interfaces.
Related Topics

page 184

Closets on page 219

request virtual-chassis vc-port
Understanding Virtual Chassis EX4200 Switch Version Compatibility

For Juniper Networks EX4200 Ethernet Switches to be interconnected as a Virtual
Chassis configuration, the switches must be running the same software versions.
The master checks the hardware version, the Juniper Networks JUNOS Software
version, and other component versions running in a switch that is physically
interconnected to its Virtual Chassis port (VCP). Different hardware models can be
members of the same Virtual Chassis configuration. However, the master will not
assign a member ID to a switch that is running a different software version. A switch
that is running a different version of software will not be allowed to join the Virtual
Related Topics
Understanding Software Upgrade in a Virtual Chassis Configuration on page 184

Understanding Fast Failover in a Virtual Chassis Configuration

The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism
that automatically reroutes traffic and reduces traffic loss in the event of a link failure
Understanding Virtual Chassis EX4200 Switch Version Compatibility
191
or switch failure. If a link between two members fails, traffic flow between those
members must be rerouted quickly so that there is minimal traffic loss.
Fast failover is effective only for Virtual Chassis members configured in ring topologies
using identical port types.
This topic describes the following:
Supported Topologies for Fast Failover on page 192
How Fast Failover Works on page 192
Effects of Topology Changes on a Fast Failover Configuration on page 197
Supported Topologies for Fast Failover

For fast failover to be effective, the Virtual Chassis members must be configured in
a ring topology. The ring topology can be formed by using either dedicated Virtual
Chassis ports (VCPs) or user-configured uplink module VCPs. Fast failover is supported
only in a ring topology that uses identical port types, for example, either a topology
that uses all dedicated VCPs or one that uses all uplink module VCPs. Fast failover
is not supported in a ring topology that includes both dedicated VCPs and uplink
module VCPs. Fast failover is supported, however, in a Virtual Chassis configuration
that consists of multiple rings.
How Fast Failover Works

When fast failover is activated, each VCP is automatically configured with a backup
port of the same type (dedicated VCP, SFP uplink VCP, or XFP uplink VCP). If a VCP
fails, its backup port is used to send traffic. These backup ports act as standby ports
and are not meant for load-balancing purposes.
Fast Failover in a Ring Topology using Dedicated VCPs

When fast failover is activated in a ring topology that uses dedicated VCPs, each VCP
is automatically configured with a backup port of the same type. If a VCP fails, its
backup port is used to send traffic. Figure 11 on page 193 shows normal traffic flow
in a ring topology using dedicated VCPs.
192
Figure 11: Normal Traffic Flow in a Ring Topology Using Dedicated VCPs
Figure 12 on page 194 shows traffic redirected by fast failover.
193
Figure 12: Traffic Redirected by Fast Failover After Dedicated VCP Link Failure
When the failed link is restored, the Virtual Chassis reconfigures the topology to the
topology's original state.
Fast Failover in a Ring Topology Using Uplink Module VCPs

In a ring topology that uses uplink module VCPs, each uplink module VCP is
automatically configured with a backup uplink module VCP. If an uplink module VCP
fails, its backup port is used to send traffic. Figure 13 on page 195 shows normal
traffic flow in a ring topology using SFP uplink module VCPs. Normal traffic flow in
a ring topology using XFP uplink module VCPs is the same.
194
NOTE: In order to use SFP or XFP uplink module ports as VCPs, you must configure
them to be VCPs using the request virtual-chassis vc-port command. Once configured,
they will be converted into VCPs. For example xe-0/1/0 will become vcp-255/1/0
after you configure it to be a VCP.
Figure 13: Normal Traffic Flow in a Ring Topology Using SFP Uplink Module VCPs
Figure 14 on page 196 shows traffic redirected by fast failover.
195
Figure 14: Traffic Redirected by Fast Failover After SFP Uplink Module VCP Link
Failure
In a ring topology that uses SFP uplink module VCPs, there are four ports per module.
Consecutive pair of ports are automatically configured as backup ports for each other.
For example, if a Virtual Chassis member has an SFP uplink module installed, uplink
module VCPs ge-0/1/0 and ge-0/1/1 are automatically configured as the backup
port for the other port in the pair. Similarly, ports ge-0/1/2 and ge-0/1/3 are
automatically configured as the backup port for the other port in the pair.
Similarly, in a ring topology that uses XFP uplink module VCPs, there are only two
ports per uplink module. Each port is automatically configured to back up the other
port in the uplink module (for example, xe-0/1/0 is the backup for xe-0/1/1).
Fast Failover in a Virtual Chassis Configuration Using Multiple Ring

Topologies
Fast failover is supported in a Virtual Chassis configuration with a multiple-ring
topology, as shown in Figure 15 on page 197.
196
Figure 15: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology
with Multiple Rings
In this scenario, the Virtual Chassis configuration has three rings: two rings that use
dedicated VCPs and one ring that uses SFP uplink module VCPs. Fast failover works
independently on each ring. Each dedicated VCP in a ring is backed up by another
dedicated VCP. Similarly, each SFP uplink module VCP is backed up by another SFP
uplink module VCP. Fast failover does not support a ring topology consisting of a
mix of dedicated VCPs and uplink module VCPs.
Effects of Topology Changes on a Fast Failover Configuration

Once the fast failover feature has been activated, topology changes to the Virtual
Chassis configuration do not affect the fast failover configuration. In the event of a
link or switch failure, fast failover functions normally.
197
Related Topics

When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 250
276
Understanding Split and Merge in a Virtual Chassis Configuration

In a Virtual Chassis configuration, two or more Juniper Networks EX4200 Ethernet
Switches are connected together to form a unit that is managed as a single chassis.
If there is a disruption to the Virtual Chassis configuration due to member switches
failing or being removed from the configuration, the Virtual Chassis configuration
splits into two separate Virtual Chassis. This situation could cause disruptions in the
network if the two separate configurations share common resources, such as global
IP addresses. The split and merge feature provides a method to prevent the separate
Virtual Chassis configurations from adversely affecting the network and also allows
the two parts to merge back into a single Virtual Chassis configuration.
NOTE: If a Virtual Chassis configuration splits into separate parts, we recommend

that you resolve the problem that caused the Virtual Chassis configuration to split as
soon as possible.
You can also use this feature to merge two active but separate Virtual Chassis that
have not previously been part of the same configuration into one Virtual Chassis
configuration.
NOTE: The split and merge feature is enabled by default on EX4200 switches. You
can disable the split and merge feature by using the set virtual-chassis no-split-detection
command.
What Happens When a Virtual Chassis Configuration Splits on page 198
Merging Virtual Chassis Configurations on page 199
What Happens When a Virtual Chassis Configuration Splits

When a Virtual Chassis configuration splits into two separate Virtual Chassis
configurations, the individual member switches detect this topology change and run
the master election algorithm to select a new master for each of the two Virtual
Chassis configurations. The new masters then determine whether their Virtual Chassis
configuration remains active. One of the configurations remains active based on the
following:
198
It contains both the stable master and the stable backup (that is, the master and
backup from the original Virtual Chassis configuration before the split).
It contains the stable master and the configuration is greater than half the Virtual
Chassis size.
It contains the stable backup and is at least half the Virtual Chassis size.
Due to the rules given in the second and third list items, if the Virtual Chassis
configuration splits into two equal parts and the stable master and stable backup are
in different parts, then the part that contains the stable backup will become active.
NOTE: The number of members in the Virtual Chassis configuration includes all
member switches connected to date minus the number whose Virtual Chassis member
IDs have been recycled. Therefore, the size of the Virtual Chassis configuration
increases when a new member switch is detected and decreases when a member
switch's ID is recycled (that is, made available for reassignment).
These rules ensure that only one of the two separate Virtual Chassis configurations
created by the split remains active. The member switches in the inactive Virtual
Chassis configuration remain in a linecard role. For the inactive members to become
active again, one of the following things must happen:
The problem that caused the original Virtual Chassis configuration to split is
resolved, allowing the two Virtual Chassis configurations to merge.
You load the factory default configuration on the inactive members, which causes
the inactive members to function as standalone switches or become part of a
different Virtual Chassis configuration.
NOTE: When you remove a member switch from a Virtual Chassis configuration,
you should recycle the member ID using the request virtual-chassis recycle command.
Merging Virtual Chassis Configurations

There are two scenarios in which separate Virtual Chassis merge:
A Virtual Chassis configuration that had split into two is now merging back into
a single configuration because the problem that had caused it to split has been
resolved.
You want to merge two Virtual Chassis that had not previously been configured
together.
Every Virtual Chassis configuration has a unique ID that is automatically assigned

when the Virtual Chassis configuration is formed. You can also explicitly assign a
Virtual Chassis ID using the set virtual-chassis id command. A Virtual Chassis ID that
you assign takes precedence over automatically assigned Virtual Chassis IDs.
When you reconnect the separate Virtual Chassis configurations or connect them for
the first time, the members determine whether or not the separate Virtual Chassis
configurations can merge. The members use the following rules to determine whether
a merge is possible:
199
If the Virtual Chassis configurations have the same Virtual Chassis ID, then the
configurations can merge. If the two Virtual Chassis were formed as the result
of a split, they will have the same Virtual Chassis ID.
If the Virtual Chassis IDs are different, then the two configurations can merge
only if both are active (inactive configurations cannot merge, ensuring that
members removed from one Virtual Chassis configuration do not become
members of another Virtual Chassis configuration). If the configurations to merge
are both active and one of them has a user-configured Virtual Chassis ID, this ID
becomes the ID of the merged Virtual Chassis. If neither Virtual Chassis has a
user-configured Virtual Chassis ID, then the Virtual Chassis ID of the configuration
with the highest mastership priority becomes the ID of the merged Virtual Chassis.
The resulting merged Virtual Chassis configuration will be active.
When you connect two Virtual Chassis configurations, the following events occur:
1.
Connecting the two split Virtual Chassis configurations triggers the

shortest-path-first (SPF) algorithm. The SPF algorithm computes the network
topology and then triggers the master election algorithm. The master election
algorithm waits for the members to synchronize the topology information before
running.
2.
The master election algorithm merges the Virtual Chassis IDs of all the members.
3.
Each member runs the master election algorithm to select a master and a backup
from among all members with the same Virtual Chassis IDs. For more
information, see Understanding How the Master in a Virtual Chassis
Configuration Is Elected on page 184.
4.
The master determines whether the Virtual Chassis configuration is active or

inactive. (See What Happens When a Virtual Chassis Configuration Splits on
page 198.)
5.
If the Virtual Chassis configuration is active, the master assigns roles to all
members. If the Virtual Chassis configuration is inactive, the master assigns all
members the role of linecard.
6.
When the other members receive their role from the master, they change their
role to backup or linecard. They also use the active or inactive state information
sent by the master to set their own state to active or inactive and to construct
the Virtual Chassis member list from the information sent by the master.
7.
If the Virtual Chassis state is active, the master waits for messages from the
members indicating that they have changed their roles to the assigned roles,
and then the master changes its own role to master.
NOTE: When you merge two Virtual Chassis that had not previously been part of the
same Virtual Chassis configuration, any configuration settings (such as the settings
for Telnet/FTP services, GRES, fast failover, VLANs, and so on) that exist on the new
master will become the configuration settings for all members of the new Virtual
Chassis, overwriting any other configuration settings.
200
Related Topics
Example: Assigning the Virtual Chassis ID to Determine Precedence During a

Virtual Chassis Merge on page 254
Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis

Merge (CLI Procedure) on page 283
Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) on

page 283
201
202
Chapter 15

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 208
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 214

Closets on page 219


Switch on page 234

File on page 239


Example: Configuring Link Aggregation Groups Using Uplink Virtual Chassis

Ports on page 256
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring
Closet
A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant
network accessibility with a basic two-member Virtual Chassis configuration and
later expand the Virtual Chassis configuration to provide additional access ports as
your office grows.
This example describes how to configure a Virtual Chassis with a master and backup
in a single wiring closet:
Requirements on page 204
Overview and Topology on page 204
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet
203
Verification on page 206
Troubleshooting the Virtual Chassis on page 207
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX Series switches
One EX4200-48P switch
One EX4200-24T switch
One XFP uplink module
Before you begin, be sure you have:

1.
Rack-mounted the switches. See Mounting an EX3200 or EX4200 Switch on Two

Posts in a Rack or Cabinet or Mounting an EX3200 or EX4200 Switch on Four
Posts in a Rack or Cabinet or Mounting an EX3200 or EX4200 Switch on a Desk
or Other Level Surface.
2.
Installed the uplink module. See Installing an Uplink Module in an EX3200 or

EX4200 Switch.
3.
Cabled the switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch.
Overview and Topology

A Virtual Chassis configuration allows you to accommodate the networking needs
of a growing office. The default configuration of a two-member Virtual Chassis includes
a master and a backup switch. In addition to providing more access ports than a
single EX4200 switch can provide, a Virtual Chassis configuration provides high
availability through redundancy.
This example shows a Virtual Chassis configuration composed of two EX4200
switches. One of the switches has an uplink module with ports that can be configured
to connect to a distribution switch or customer edge (CE) router or that can be
configured as Virtual Chassis ports (VCPs) to interconnect with a member switch that
is located too far for the dedicated VCP cabling. (The network interfaces on
EX4200-24F switches can also be configured as VCPs.) For information on configuring
the uplink ports as trunk ports to a distribution switch, see Configuring Gigabit
Ethernet Interfaces (CLI Procedure) on page 383. For an example of configuring
uplink ports as VCPs, see Example: Configuring a Virtual Chassis Interconnected
Across Multiple Wiring Closets on page 219.
By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. The software elects a master based on several
criteria, including how long a member switch has belonged to the Virtual Chassis
configuration. For additional details, see Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 184. Therefore, we recommend that you
start by powering on only one member switch, the one that you want to function as
the master.
204
Requirements
Chapter 15: Examples of Configuring Virtual Chassis
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis.
The Virtual Chassis configuration provides networking access for 50 onsite workers,
who are sitting within range of a single wiring closet. The workers all use personal
computers and VoIP phones. As the office grows, you can add more EX4200 switches
to meet increased needs for access ports.
The topology for this example consists of two switches, one of which contains an
uplink module:
One EX4200-24T switch (SWA-0) with 24 access ports, including eight ports that
support PoE
One EX4200-48P switch (SWA-1) with 48 access ports, all of which support PoE
One XFP uplink module, with two 10Gigabit Ethernet ports, is installed in the
EX4200-48P switch
Table 39 on page 205 shows the default configuration settings for the two-member
Virtual Chassis.
Table 39: Components of the Basic Virtual Chassis Access Switch Topology
Member Switch
Hardware
Member ID
Role and Priority
SWA-0
EX4200-48P switch
Master: mastership priority

128
SWA-1
EX4200-24T switch
Backup: mastership priority

128
Figure 16 on page 205 shows that SWA-0 and SWA-1 are interconnected with their
dedicated VCPs on the rear panel. The LCD on the front displays the Member ID and
Role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect
to a distribution switch.
Figure 16: Basic Virtual Chassis with Master and Backup
205
Configuration
Configure a Virtual Chassis with a default master and backup in a single wiring closet:
Step-by-Step Procedure
To configure a Virtual Chassis with master and backup:

1.
Make sure the VCPs on the rear panel of the member switches are properly
cabled. See Virtual Chassis Cabling Configuration Examples for EX4200 Switches.
2.
Power on SWA-0 (the member switch that you want to function as the master).
3.
Check the front-panel LCD to confirm that the switch has powered on correctly.
4.
Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring an EX Series Switch (CLI Procedure) on page
79 or Connecting and Configuring an EX Series Switch (J-Web Procedure) on
page 81 for details.
5.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
6.
Power on SWA-1.
Verification
To confirm that the Virtual Chassis configuration is operational, perform these tasks:
Verifying That the Mastership Priority Is Assigned Appropriately on page 206
Verifying That the VCPs Are Operational on page 207
Verifying That the Mastership Priority Is Assigned Appropriately

Purpose
Action
Verify that the master, which has been selected by default, is the member switch
that you want to function in that role.
1.
Check the front-panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.
2.
List the member switches of the Virtual Chassis configuration.
user@SWA-0> show virtual-chassis status

Virtual Chassis ID: 0019.e250.47a0
206
Configuration
Member ID
0 (FPC 0)
Status
Prsnt
Mastership
Serial No
Model
priority
AK0207360276 ex4200-48p
128
Role
Master*
1 (FPC 1)
Prsnt
AK0207360281 ex4200-24t
Backup
128
Neighbor List
ID Interface
1 vcp-0
1 vcp-1
0 vcp-0
0 vcp-1
Member ID for next new member: 2 (FPC 2)
Meaning
The show virtual-chassis status command lists the member switches interconnected
in a Virtual Chassis configuration with the member IDs that have been assigned by
the master, the mastership priority values, and the roles. It also displays the neighbor
members with which each member is interconnected. The output shows that SWA-0,
member 0, has been assigned default mastership priority 128. Because SWA-0 is the
first member to be powered on, it has the most seniority and is therefore assigned
the role of master. SWA-1 is powered on after member 0, so it is assigned the role
of backup. The member IDs are displayed on the front panel of the switches. Check
and confirm whether the default assignment is satisfactory.
Verifying That the VCPs Are Operational

Purpose
Action
Verify that the dedicated Virtual Chassis ports interconnecting the switches are
operational.
Display the Virtual Chassis ports of all the members:
user@SWA-0> show virtual-chassis vc-port all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
32000
1
vcp-1
vcp-1
Dedicated
Up
32000
1
vcp-0
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
32000
1
vcp-0
vcp-1
Dedicated
Up
32000
1
vcp-1
Meaning
The show virtual-chassis vc-port command lists the interfaces that are enabled for
the member switches of the Virtual Chassis configuration and shows the status of
the interfaces. The output in this example shows that two of the VCPs are operational
and two VCPs are not. A single cable has been used to interconnect vcp-0 of member
ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the switch to
be operational. However, we recommend that you connect the second set of VCPs
for redundancy.
Troubleshooting the Virtual Chassis

To troubleshoot the configuration of a Virtual Chassis, perform these tasks:
Troubleshooting the Assignment of Roles

Problem
The master and backup roles are not assigned to the member switches that you want
to function in these roles.
207
Solution
Modify the mastership priority values.

To quickly modify the mastership priority of SWA-1 (member ID 1), copy the following
command and paste it into the switch terminal window:
[edit virtual-chassis]
user@SWA-1# set member 1 mastership-priority 255
Troubleshooting the VCPs

Problem
The VCPs are down.
Solution
1.
Check to make sure that you have cabled the appropriate ports.
2.
Check to make sure that the cables are seated properly.
You should generally cable and interconnect both of the VCPs on the member
switches, for redundancy and high availability.
Related Topics
Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet

on page 208


File on page 239

A Virtual Chassis configuration is a scalable switch composed of multiple
interconnected EX4200 switches. Up to ten EX4200 switches can be interconnected
as a Virtual Chassis configuration.
This example describes how to configure an expanding Virtual Chassis within a single
wiring closet:
208
Troubleshooting on page 213
Troubleshooting the VCPs
Requirements
One XFP uplink module
Confirmed that the existing Virtual Chassis configuration is operating correctly.

See Example: Configuring a Virtual Chassis with a Master and Backup in a Single
Wiring Closet on page 203.

A Virtual Chassis configuration can be expanded without disrupting the site's network
connectivity. This example describes adding a member switch to an existing Virtual
Chassis configuration to provide additional access ports for connecting more PCs
and VoIP phones at this location. You can continue to expand the Virtual Chassis
configuration with additional members in the same wiring closet, using the same
procedure. If you want to expand the Virtual Chassis configuration to include member
switches in another wiring closet, see Example: Configuring a Virtual Chassis
Interconnected Across Multiple Wiring Closets on page 219.
If you want to retain the roles of the existing master and backup switches, explicitly
configure the mastership priority of these switches, specifying the highest possible
value (255) for both the master and the backup.
During expansion, the existing Virtual Chassis configuration can remain powered on
and connected to the network. Before powering up the new switch, interconnect it
to the other the switches using the dedicated VCPs on the rear panel. Do not run the
EZ Setup program on the added member switch.
This example shows an existing Virtual Chassis configuration composed of two
EX4200 switches. The Virtual Chassis configuration is being expanded to include a
EX4200-24P switch as a linecard member.
The topology for this example consists of:
One EX4200-48P switch (SWA-0) with 48 access ports, all of which support
Power over Ethernet (PoE)
One EX4200-24T switch (SWA-1) with 24 access ports, including eight ports that
support PoE
Requirements
209
One EX4200-24P switch (SWA-2) with 24 access ports, all of which support PoE
One uplink module with two 10-gigabit ports is installed in the EX4200-48P
switch. These ports can be configured as trunk ports to connect to a distribution
switch or customer edge (CE) router or as Virtual Chassis ports (VCPs) to
interconnect with a member switch that is located too far for dedicated VCP
cabling. (The uplink module ports on the SFP and SFP+ uplink modules and the
SFP network interfaces on the EX4200-24F switches can also be used for these
purposes.) For information on configuring the uplink ports as trunk ports to a
distribution switch, see Configuring Gigabit Ethernet Interfaces (CLI Procedure)
on page 383 or Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on
page 377. For information on configuring uplink ports as Virtual Chassis ports,
see Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on
page 276.
Table 40 on page 210 shows the configuration settings for the expanded Virtual
Chassis.
Table 40: Components of the Expanded Virtual Chassis Access Switch
Member Switch
Hardware
Member ID
Role in Virtual Chassis
SWA-0
EX4200-48P switch
master; mastership priority

255
SWA-1
EX4200-24T switch
backup; mastership priority

255
SWA-2
EX4200-24P switch
linecard; mastership priority

128
Figure 17 on page 210 shows that the three member switches ( SWA-0, SWA-1 and
SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on
the front displays the member ID and role. SWA-0 also includes an uplink module.
Its uplink ports can be used to connect to a distribution switch.
Figure 17: Expanded Virtual Chassis in Single Wiring Closet
210
Configuration
To expand a Virtual Chassis configuration to include additional member switches
within a single wiring closet, perform these tasks:
configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration
To maintain the master and backup roles of the existing members and ensure that
the new member switch functions in a linecard role, copy the following commands
and paste them into the terminal window:
[edit]
user@SWA-0# set virtual-chassis member 0 mastership-priority 255
user@SWA-1# set virtual-chassis member 1 mastership-priority 255
To ensure that the existing member switches retain their current roles and to add
another member switch in a linecard role:
1.
Configure the mastership priority of SWA-0 (member 0) to be the highest possible

value, thereby ensuring that it functions as the master of the expanded Virtual
2.

value. This setting is recommended for high availability and smooth transition
of mastership in case the original master becomes unavailable.
3.
Interconnect the unpowered SWA-2 with SWA-0 and SWA-1 using the dedicated
VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for
EX4200 Switches for additional information.
4.
Power on SWA-2.
You do not need to configure or run EZ Setup on SWA-2. The identification
parameters that were set up for the master apply implicitly to all members of
the Virtual Chassis configuration. SWA-2 functions in a linecard role, since SWA-0
and SWA-1 have been configured to the highest mastership priority values.
Configuration
211
Verification
To verify that the new switch has been added as a linecard and that its VCPs are
operational, perform these tasks:
Verifying That the New Switch Has Been Added as a Linecard on page 212
Verifying That the New Switch Has Been Added as a Linecard

Purpose
Action
Verify that SWA-2 has been added in a linecard role to the Virtual Chassis
configuration.
Use the show virtual-chassis status command to list the member switches with their
member IDs, mastership priority values, and assigned roles.
Virtual Chassis ID: 0000.e255.00e0
Meaning
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1 vcp-0
2 vcp-1
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
0 vcp-0
1 vcp-1
The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. This
output shows that SWA-2 has been assigned member ID 2 and has the default
mastership priority value 128. Because the mastership priority is lower than the
mastership priority of the other members, SWA-2 functions in the linecard role. You
can continue to add more member switches, following the same procedure. It is
possible to have multiple members in linecard roles with the same mastership priority
value.

Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches are operational.
List the VCP interfaces on the Virtual Chassis configuration.
user@SWA-0>show virtual-chassis vc-port all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
212
Verification
vcp-0
vcp-1
Dedicated
Dedicated
Up
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
Meaning
The show virtual-chassis vc-port all-members command lists all the interfaces for the
Virtual Chassis configuration. In this case, no VCP uplinks have been configured.
However, the VCP interfaces are automatically configured and enabled when you
interconnect member switches using the dedicated Virtual Chassis ports. There are
two dedicated VCPs on the rear panel of each EX4200 switch. It is recommended
that you interconnect the member switches using both VCPs for redundancy. The
VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same
as the member ID.
Troubleshooting
To troubleshoot the configuration of an expanded Virtual Chassis, perform these
tasks:
Troubleshooting Mastership Priority

Problem
You want to designate a different member as the master.
Solution
Change the mastership priority value or values of the switches, designating the highest
mastership priority value for the switch that you want to be master.
1.
Lower the mastership priority of the existing master (member 0).

2.
Set the mastership priority of the member that you want to be the master to the
highest possible value (255):
Troubleshooting
213
Troubleshooting Nonoperational VCPs

Problem
The VCP interface shows a status of down.
Solution
Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics


Configuration
You can configure a multimember Virtual Chassis access switch in a single wiring
closet without setting any parametersby simply cabling the switches together,
using the dedicated Virtual Chassis ports (VCPs). You do not need to modify the
default configuration to enable these ports. They are operational by default. The
Virtual Chassis configuration automatically assigns the master, backup, and linecard
roles, based on the sequence in which the switches are powered on and other factors
in the master election algorithm. See Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 184.
TIP: We recommend that you explicitly configure the mastership priority of the
switches to ensure that the switches continue to perform the desired roles when
additional switches are added or other changes occur. However, it is possible to use
the default configuration described in this example.
This example describes how to configure a multimember Virtual Chassis in a single
wiring closet, using the default role assignments:
Requirements
214
Two EX4200-48P switches
Four EX4200-24P switches

A Virtual Chassis configuration is easily expandable. This example shows a Virtual
Chassis configuration composed of six EX4200 switches. It provides networking
access for 180 onsite workers, who are sitting within range of a single wiring closet.
The six combined switches are identified by a single host name and managed through
a global management IP address.
To set up a multimember Virtual Chassis configuration within a single wiring closet,
you need to run the EZ Setup program only once. Connect to the master and run EZ
Setup to specify its identification, time zone, and network properties. When additional
switches are connected through the Virtual Chassis ports (VCPs), they automatically
receive the same properties that were specified for the master.
The topology for this example (see Figure 1) consists of six switches:
Two EX4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which
support Power over Ethernet (PoE)
Four EX4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access
ports, all of which support PoE
Figure 18 on page 215 shows that all the member switches are interconnected with
the dedicated VCPs on the rear panel. The LCD on the front displays the member ID
and role.
Figure 18: Default Configuration of Multimember Virtual Chassis in a Single Wiring
Closet
215
Configuration
Configure a multimember Virtual Chassis access switch in a single wiring closet using
the factory defaults:
By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. To determine which switch has been selected as
the master, check the LCD on the front panel. It should be the first switch that you
power on. The backup should be the second switch that you power on. The other
switches are all linecards. Wait at least one minute after powering on the master,
before continuing to power on the other switches.
To configure a multimember Virtual Chassis with default role assignments:

1.
Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual
Chassis Cabling Configuration Examples for EX4200 Switches for additional
information.
2.
Power on the switch that you want to function as the master (SWA-0). This
examples uses one of the larger switches (EX4200-48P) as the master.
3.
Check the front panel LCD to confirm that the switch has powered on correctly
4.
Run the EZ Setup program on SWA-0, the master, specifying the identification
parameters. See Connecting and Configuring an EX Series Switch (CLI
Procedure) on page 79 or Connecting and Configuring an EX Series Switch
(J-Web Procedure) on page 81 for details.
5.
[edit]
6.
After a lapse of at least one minute, power on SWA-1. This example uses the
second EX4200-48P switch as the backup.
7.
Check the front panel LCD to confirm that the switch has powered on correctly
8.
Power on SWA-2, and check the front panels to make sure that the switch is
operating correctly.
9.
Continue to power on the member switches one by one, checking the front
panels as you proceed.
Verification
To confirm that the configuration is working properly, perform these tasks:
216
Configuration
Verifying the Member IDs and Roles of the Member Switches on page 217
Verifying the Member IDs and Roles of the Member Switches

Purpose
Action
Verify that all the interconnected member switches are included within the Virtual
Chassis configuration and that their roles are assigned appropriately.
Display the members of the Virtual Chassis configuration:
user@SWA-0>
show virtual-chassis status
Meaning
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
128
Master*
1 vcp-0
5 vcp-1
1 (FPC 1)
Prsnt
def123
ex4200-48p
128
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
3 vcp-0
1 vcp-1
3 (FPC 3)
Prsnt
cab123
ex4200-24p
128
Linecard
4 vcp-0
2 vcp-1
4 (FPC 4)
Prsnt
fed456
ex4200-24p
128
Linecard
5 vcp-0
3 vcp-1
5 (FPC 5)
Prsnt
jkl231
ex4200-24p
128
Linecard
0 vcp-0
4 vcp-1
The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. The fpc
number is the same as the member ID.

Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches are operational.
Display the Virtual Chassis interfaces.
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
217
vcp-0
vcp-1
Dedicated
Dedicated
Up
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc5:
Interface
or
PIC / Port
vcp-0
vcp-1
Meaning
Type
Status
Dedicated
Dedicated
Up
Up
The show virtual-chassis vc-port all-members command lists the Virtual Chassis
interfaces that are enabled for the member switches of the Virtual Chassis
configuration and shows the status of the interfaces. In this case, no VCP uplinks
have been configured. However, the VCP interfaces are automatically configured
and enabled when you interconnect member switches using the dedicated VCPs.
There are two dedicated VCPs on the rear panel of each EX4200 switch. The dedicated
VCP interfaces are identified simply as vcp-0 and vcp-1. They do not use the standard
interface address (in which the member ID is represented by the first digit). The
output in this example shows that all interfaces are operational. The fpc number is
the same as the member ID.
Troubleshooting
To troubleshoot the configuration of a multimember Virtual Chassis in a single wiring
closet, perform these tasks:
Troubleshooting Mastership Priority
218
Problem
You want to explicitly designate one member as the master and another as backup.
Solution
Change the mastership priority value of the member that you want to function as
master, designating the highest mastership priority value that member.
Troubleshooting
NOTE: These configuration changes are made through the current master, SWA-0.
1.
Configure mastership priority of member 0 to be the highest possible value.

2.
Set the mastership priority of another member that you want to function as the
backup member as the same value:

Problem
The VCP interface shows a status of down.
Solution
Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics


Closets on page 219

Closets
A Virtual Chassis configuration is a very adaptable access switch solution. You can
install member switches in different wiring closets, interconnecting the member
switches by cabling and configuring uplink module ports and SFP network ports on
EX4200-24F switches as Virtual Chassis ports (VCPs).
This example shows how to use uplink VCPs to connect Virtual Chassis members
that are located too far apart to be connected using the dedicated VCPs. Uplink VCPs
can also be used to connect Virtual Chassis members to form link aggregation groups
(LAGs). For the latter usage, see Example: Configuring Link Aggregation Groups
Using Uplink Virtual Chassis Ports on page 256.
NOTE: You can also configure the SFP networks ports on EX4200-24F switches as
VCPs to connect Virtual Chassis member switches across wiring closets and to form
LAGs.
219
This example describes how to configure a Virtual Chassis access switch

interconnected across wiring closets:
Requirements
Four EX4200 switches
Four XFP uplink modules
Before you interconnect the members of the Virtual Chassis configuration across
wiring closets, be sure you have:
1.
Installed an uplink module in each member switch. See Installing an Uplink

Module in an EX3200 or EX4200 Switch.
2.
Powered on, connected, and run the EZSetup program on SWA-0 (see Table 41
on page 222 for switch names used in this example). See Connecting and
Configuring an EX Series Switch (CLI Procedure) on page 79 or Connecting
and Configuring an EX Series Switch (J-Web Procedure) on page 81 for details.
3.
Configured SWA-0 with the virtual management Ethernet (VME) interface for
remote, out-of-band management of the Virtual Chassis configuration, if desired.
See Configuring the Virtual Management Ethernet Interface for Global
Management of a Virtual Chassis (CLI Procedure) on page 279.
4.
Interconnected SWA-0 and SWA-1 using the dedicated VCPs on the rear panel.
SWA-1 must not be powered on at this time.
5.
Interconnected SWA-2 and SWA-3 using the dedicated VCPs on the rear panel.
SWA-2 and SWA-3 must not be powered on at this time.

In this example, four EX4200 switches will be interconnected in a Virtual Chassis
configuration. Two of these (SWA-0 and SWA-1) are located in wiring closet A and
the two other (SWA-2 and SWA-3) are located in wiring closet B.
For ease of monitoring and manageability, we want to interconnect all four switches
as members of a Virtual Chassis configuration. Prior to configuring the Virtual Chassis,
we installed uplink modules in each of the member switches. In this example, uplink
modules are installed in all four members so that there are redundant VCP connections
across the wiring closets. If you want to expand this configuration to include more
members within these wiring closets, you do not need to add any more uplink
220
Requirements
modules. Simply use the dedicated VCPs on the rear panel. The redundancy of uplink
VCPs provided in this example is sufficient.
We have interconnected the switches in wiring closet A and also interconnected the
ones in wiring closet B using the dedicated VCPs. The interfaces for the dedicated
VCPs are operational by default. They do not need to be configured.
However, the Virtual Chassis cables that interconnect the dedicated VCPs of member
switches within a single wiring closet are not long enough to connect member switches
across wiring closets. Instead, we will use the fiber-optic cable connections in the
uplink modules to interconnect the member switches in wiring closet A to the member
switches in wiring closet B. You only need to interconnect one member switch in
wiring closet A to one in wiring closet B to form the Virtual Chassis configuration.
However, for redundancy, this example connects uplink module ports from the two
member switches in wiring closet A to the two member switches in wiring closet B.
We will specify the highest mastership priority value (255) for SWA-0 to make it the
master before we power on SWA-1. Because SWA-0 and SWA-1 are interconnected
with the dedicated VCPs, the master detects that SWA-1 is a member of its Virtual
Chassis configuration and assigns it a member ID.
We configure SWA-2 in wiring closet B without running EZSetup by directly connecting
to the console port. If you wish, you can run EZSetup and specify identification
parameters. Later, when you interconnect SWA-2 with SWA-0, the master of the
Virtual Chassis configuration, the master overwrites any conflicting parameters.
We will use SWA-2 as the backup of the Virtual Chassis configuration. If a problem
occurs in wiring closet A, SWA-2 would take control of the Virtual Chassis configuration
and maintain the network connections. We will configure the same mastership
priority value for SWA-2 (255) that we configured for the master. Because we power
on SWA-0 before we power on SWA-2, SWA-0 has additional prioritization properties
that allow it to retain mastership of the Virtual Chassis configuration. See
page 184. We recommend setting identical mastership priority values for the master
and backup members for high availability and smooth transition of mastership in
case the original master becomes unavailable. (Setting identical mastership priority
values for the master and backup members prevents the previous master from
pre-empting the master role from the new master when the previous master comes
back online.)
After we have configured SWA-2 and set one of its uplink module ports as an uplink
VCP, we will interconnect its uplink VCP with an uplink VCP on SWA-0.
Finally, we will power on SWA-3. Because SWA-3 is interconnected with SWA-2 using
the dedicated VCPs on the rear panel, the master will detect that SWA-3 is part of
the expanded Virtual Chassis configuration and assign it member ID 3. For
redundancy, we will configure an uplink VCP on SWA-3 through the master and
interconnect that uplink VCP with an uplink VCP on SWA-1.
Table 41 on page 222 shows the Virtual Chassis configuration settings for a Virtual
Chassis composed of member switches in different wiring closets.
221
Table 41: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch
Member ID
Role and Priority
Location
SWA-0
master; mastership priority

255
Wiring closet A
SWA-1

128
Wiring closet A
SWA-2
backup; mastership priority

255
Wiring closet B
SWA-3

128
Wiring closet B
Figure 19 on page 222 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows the member switches within each
wiring closet interconnected to each other using the dedicated VCPs. The front view
shows the uplink VCPs interconnected across the wiring closets.
Figure 19: Virtual Chassis Interconnected Across Wiring Closets
222
Configuration
To configure the Virtual Chassis across multiple wiring closets, perform these tasks:
To configure a Virtual Chassis across multiple wiring closets:

1.

value (255), thereby ensuring that it functions as the master of the expanded
Virtual Chassis configuration:
2.
Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
1:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
1
NOTE:
For redundancy, this example configures an uplink VCP in both SWA-0 and
SWA-1.
3.
This example omits the specification of the member member-id option in

configuring an uplink VCP for SWA-0 (and, later, for SWA-2). The command
applies by default to the switch where it is executed.
Prepare SWA-2 in wiring closet B for interconnecting with the Virtual Chassis
configuration by configuring its mastership priority to be the highest possible
value (255). Its member ID is currently 0, because it is not yet interconnected
with the other members of the Virtual Chassis configuration. It is operating as
a standalone switch. Its member ID will change when it is interconnected.
NOTE: SWA-2 is configured with the same mastership priority value that we
configured for SWA-0. However, the longer uptime of SWA-0 ensures that, once the
interconnection is made, SWA-0 functions as the master and SWA-2 functions as the
backup.
Configuration
223
4.
Specify one uplink module port in SWA-2 as an uplink VCP. Its member ID is
0, because it is not yet interconnected with the other members of the Virtual
NOTE: The setting of the uplink VCP remains intact when SWA-2 reboots and joins
the Virtual Chassis configuration as member 2.
5.
Physically interconnect SWA-0 and SWA-2 across wiring closets using their
uplink VCPs. Although SWA-0 and SWA-2 have the same mastership priority
value (255), SWA-0 was powered on first and thus has longer uptime. This results
in SWA-0 retaining mastership while SWA-2 reboots and joins the now expanded
Virtual Chassis configuration as the backup, with member ID 2.
6.
Power on SWA-3. It joins the expanded Virtual Chassis configuration as member

3.
NOTE: Member ID 3 is assigned to SWA-3 is 3, because SWA-3 was powered on after

members 0, 1, and 2.
7.
Because SWA-3 is now interconnected as a member of the Virtual Chassis

configuration, you can specify a redundant uplink VCP on SWA-3 through the
master of the Virtual Chassis configuration:
3
8.
uplink VCPs. Both SWA-1 and SWA-3 have the default mastership priority value
(128) and function in a linecard role.
Results
Display the results of the configuration on SWA-0:

[edit]
user@SWA-0# show virtual-chassis
member 0 {
mastership-priority 255;
}
member 1 {
}
224
Configuration
member 2 {
}
member 3 {
}
}
Verification
Verifying that the Dedicated VCPs and Uplink VCPs Are Operational on page 226

Purpose
Action
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1 vcp-0
2 vcp-1
2 vcp-255/1/0
1 (FPC 1)
Prsnt
def456
ex4200-24t
128
Linecard
0 vcp-0
0 vcp-1
3 vcp255/1/0
2 (FPC 2)
Prsnt
ghi789
ex4200-48p
255
Backup
3 vcp-0
3 vcp-1
0 vcp-255/1/0
3 (FPC 3)
Meaning
Prsnt
jkl012
ex4200-24t
128
Linecard
2 vcp-0
2 vcp-1
3 vcp255/1/0
as a Virtual Chassis configuration with the member IDs that have been assigned by
members with which each member is interconnected.
Verification
225
Verifying that the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting member switches in wiring closet A
and the uplink VCPs interconnecting the member switches between wiring closets
are operational.
Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis status all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
vcp-1
Dedicated
2
Up
32000
1
vcp-0
1/0
Auto-Configured
1
Up
1000
2
vcp-255/1/0
fpc1:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
0
vcp-0
vcp-1
Dedicated
2
Up
32000
0
vcp-1
1/0
Auto-Configured
1
Up
1000
3
vcp-255/1/0
fpc2:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
3
vcp-0
vcp-1
Dedicated
2
Up
32000
1/0
Auto-Configured
1
Up
1000
0
vcp-255/1/0
fpc3:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
2
vcp-0
vcp-1
Dedicated
2
Up
32000
2
vcp-1
1/0
Auto-Configured
1
Up
1000
1
vcp-255/1/0
Meaning
226
The dedicated VCPs are displayed as vcp-0 and vcp-1. The interface on the switch
that has been set as an uplink VCP is displayed as 1/0. The member interface names
of uplink VCPs are of the form vcp-255/pic/portfor example, vcp-255/1/0. In that
name, vcp-255 indicates that the interface is an uplink VCP, 1 is the uplink PIC
number, and 0 is the uplink port number. The fpc number is the same as the member
ID. The Trunk ID is a positive number ID assigned to the LAG formed by the Virtual
Chassis. If no LAG is formed, the value is 1.
Verifying that the Dedicated VCPs and Uplink VCPs Are Operational
Troubleshooting
To troubleshoot a Virtual Chassis configuration that is interconnected across wiring
closets, perform these tasks:

Problem
A uplink VCP shows a status of down.
Solution
Check the cable to make sure that it is properly and securely connected to the
ports.
If the VCP is an uplink module port, make sure that it has been explicitly set as
an uplink VCP.
If the VCP is an uplink module port, make sure that you have specified the options
(pic-slot, port, and member) correctly.


on page 208

276
Related Topics

Chassis Access Switch and a Virtual Chassis Distribution Switch
EX Series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a Virtual Chassis
access switch to a Virtual Chassis distribution switch:
Requirements
This example uses the following software and hardware components:
Troubleshooting
227
Two EX4200-24F switches
Before you configure the LAGs, be sure you have:
Configured the Virtual Chassis switches. See Example: Configuring a Virtual

Chassis with a Master and Backup in a Single Wiring Closet on page 203.
Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 383.

For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The Virtual Chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:
Link Aggregation Control Protocol (LACP) can optionally be configured for link
negotiation.
It doubles the speed of each uplink from 10 Gbps to 20 Gbps.
If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one Virtual Chassis access switch and
one Virtual Chassis distribution switch. The access switch is composed of two
EX4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
Virtual Chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
If the remote end is a security device LACP may not be supported since security
devices demand a deterministic configuration. In this case do not configure LACP.
All links in the LAG will be permanently up unless a link failure within the Ethernet
physical or the data link layers has been detected. The remaining uplink ports from
228
SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1.
LAG ae1, which is used for another VLAN.
Figure 20: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch
Table 1 details the topology used in this configuration example.

Table 42: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch
Switch
Hostname and
VCID
Base Hardware
Uplink Module
Member ID
Trunk Port
SWA-0
Host-A Access
switch
EX4200-48P
switch
One XFP uplink

module
xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1
VCID 1
229
Distribution Switch (continued)
SWA-1
Host-A Access
switch
EX4200-48P
switch
One XFP uplink

module
xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1
VCID 1
SWD-0
Host-D
Distribution switch
EX4200 L-24F
switch
One XFP uplink

module
xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1
VCID 4
SWD-1
Host-D
Distribution switch
EX4200 L-24F
switch
One XFP uplink

module
xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1
VCID 4
Configuration
To configure two uplink LAGs from the Virtual Chassis access switch to the Virtual
Chassis distribution switch:
To quickly configure aggregated Ethernet high-speed uplinks between a Virtual Chassis

access switch and a Virtual Chassis distribution switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set chassis aggregated-devices ethernet device-count 2
set interfaces ae0 aggregated-ether-options minimum-links 2
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae0 unit 0 family inet address 192.0.2.0/25
set interfaces xe-0/1/0 ether-options 802.ad ae0
To configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access

switch and a Virtual Chassis distribution switch:
1.
Specify the number of LAGs to be created on the chassis:

[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2
2.
Specify the number of links that need to be present for the ae0 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2
230
Configuration
3.
to be up:
[edit interfaces]
4.
Specify the media speed of the ae0 link:

[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options link-speed 10g
5.

[edit interfaces]
6.
Specify the interface ID of the uplinks to be included in LAG ae0:

[edit interfaces]
user@Host-A# set xe-0/1/0 ether-options 802.ad ae0
7.

[edit interfaces]
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
Results
Display the results of the configuration:

[edit]
chassis {
ethernet {
device-count 2;
}
}
}
interfaces {
ae0 {
Configuration
231
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;
}
}
}
ae1 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:
Verifying That LAG ae0 Has Been Created on page 232
Verifying That LAG ae0 Has Been Created

Purpose
Action
232
Verification
Verify that LAG ae0 has been created on the switch.

show interfaces ae0 terse
Interface
ae0
ae0.0
Meaning
Admin
up
up
Link Proto
up
up
Local
inet
Remote
10.10.10.2/24
The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.

Purpose
Action
Verify that LAG ae1 has been created on the switch

Interface
ae1
ae1.0
Meaning
Admin Link Proto

up
down
up
down inet
Local
Remote
The output shows that the ae1 link is down.
Troubleshooting
Troubleshooting a LAG That Is Down
Problem
The show interfaces terse command shows that the LAG is down:
Solution
Check the following:
Related Topics
Verify that there is no configuration mismatch.
Verify that all member ports are up.
Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).
Verify that the LAG member is connected to the correct LAG at the other end.
Verify that the LAG members belong to the same switch (or the same Virtual
Chassis).


on page 234
Example: Connecting an Access Switch to a Distribution Switch on page 498.
Installing an Uplink Module in an EX3200 or EX4200 Switch
233
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between

a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
manner are referred to as a link aggregation group (LAG) or bundle. EX Series switches
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page
227:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 235
Configuring LACP for the LAGs on the Virtual Chassis Distribution

Switch on page 236
Requirements
Four EX Series XFP uplink modules
Before you configure LACP, be sure you have:
Set up the Virtual Chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 203.
Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed

Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 227

This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
234
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a
Virtual Chassis Distribution Switch
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
To quickly configure LACP for the access switch LAGs, copy the following commands
[edit]
set interfaces ae0 aggregated-ether-options lacp active periodic fast
To configure LACP for Host-A LAGs ae0 and ae1:

1.
Specify the aggregated Ethernet options for both bundles:

[edit interfaces]
user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast
Results

[edit interfaces]
user@Host-A# show
ae0 {
lacp {
active;
periodic fast;
}
}
}
ae1 {
235
lacp {
active;
periodic fast;
}
}
}
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the Virtual Chassis access switch to
the Virtual Chassis distribution switch, perform these tasks:
To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
To configure LACP for Host D LAGs ae0 and ae1:

1.

[edit interfaces]
user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast
Results

[edit interfaces]
user@Host-D# show
ae0 {
lacp {
passive;
periodic fast;
}
}
}
ae1 {
lacp {
passive
periodic fast;
}
}
}
236
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying the LACP Settings on page 237
Verifying That the LACP Packets Are Being Exchanged on page 237
Verifying the LACP Settings

Purpose
Action
Verify that LACP has been set up correctly.

Use the show lacp interfaces interface-name command to check that LACP has been
enabled as active on one end.
user@Host-A> show lacp interfaces xe-0/1/0
Aggregated interface: ae0
LACP state:
Role
Def
Dist
Col
Syn
Aggr
Timeout
Activity
xe-0/1/0
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
LACP protocol:
xe-0/1/0
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
The output indicates that LACP has been set up correctly and is active at one end.
Verifying That the LACP Packets Are Being Exchanged

Purpose
Action
Verify that LACP packets are being exchanged.

Use the show interfaces aex statistics command to display LACP information.
user@Host-A> show interfaces ae0 statistics
Physical interface: ae0, Enabled, Physical link is Down
Interface index: 153, SNMP ifIndex: 30
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 0
Device flags
: Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0
Last flapped
: Never
Statistics last cleared: Never
Input packets : 0
Output packets: 0
Input errors: 0, Output errors: 0
Logical interface ae0.0 (Index 71) (SNMP ifIndex 34)
Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2
Verification
237
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Troubleshooting a Nonworking LACP Link

Problem
The LACP link is not working.
Solution
Related Topics
238
Troubleshooting
Remove the LACP configuration and verify whether the static LAG is up.
Verify that LACP is configured at both ends.
Verify that LACP is not passive at both ends.
Verify whether LACP protocol data units (PDUs) are being exchanged by running
the monitor traffic-interface lag-member detail command.

You can deterministically control both the role and the member ID assigned to each
member switch in a Virtual Chassis configuration by creating a preprovisioned
configuration file.
A preprovisioned configuration file links the serial number of each EX4200 switch
in the configuration to a specified member ID and role. The serial number must be
specified in the configuration file for the member to be recognized as part of the
Virtual Chassis configuration.
You must select two members that you want to make eligible for election as master
of the Virtual Chassis configuration. When you list these two members in the
preprovisioned configuration file, you designate both members as routing-engine.
One will function as the master of the Virtual Chassis configuration and the other
will function as the backup.
You designate additional members, which are not eligible for election as master, has
having the linecard role in the preprovisioned configuration file.
NOTE: When you use a preprovisioned configuration, you cannot modify the
mastership priority or member ID of member switches through the user interfaces.
NOTE: After you have created a preprovisioned Virtual Chassis configuration, you
can use the autoprovisioning feature to add member switches to that configuration.
See Adding a New Switch to an Existing Virtual Chassis Configuration (CLI
This example describes how to configure a Virtual Chassis across multiple wiring
closets using a preprovisioned configuration file:
Requirements
Five EX4200-48P switches
Five EX4200-24T switches
239
Before you create the preprovisioned configuration of the Virtual Chassis and
interconnect the members across the wiring closets, be sure you have:
1.
Made a list of the serial numbers of all the switches to be connected as a Virtual
2.
Noted the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role , it is not eligible to
become a master or backup.
3.
Installed an uplink module in each of the member switches that will be

interconnected across wiring closets. See Installing an Uplink Module in an
EX3200 or EX4200 Switch.
4.
Interconnected the member switches within each wiring closet using the
dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis
Cable to an EX4200 Switch.
5.
Powered on the switch that you plan to use as the master switch (SWA-0).
6.
Run the EZSetup program on SWA-0, specifying the identification parameters.

79 for details.
SWA-0 is going to be configured in the example to function as the master of the
Virtual Chassis configuration. Thus, the properties that you specify for SWA-0
will apply to the entire Virtual Chassis configuration, including all the member
switches that you specify in the preprovisioned configuration file.
7.
[edit]

In this example, five EX4200 switches (SWA-0 through SWA-4) are interconnected
with their dedicated VCPs in wiring closet A and five EX4200 switches (SWA-5 through
SWA-9) are interconnected with their dedicated VCPs in wiring closet B.
SWA-0 (in wiring closet A) is going to be the master of the Virtual Chassis
configuration. This example shows how to create a preprovisioned configuration file
on SWA-0 for all member switches that will be interconnected in the Virtual Chassis
configuration. The preprovisioned configuration file includes member IDs for the
members in wiring closet A and for the members in wiring closet B.
SWA-5 (in wiring closet B) is going to be the backup of the Virtual Chassis
configuration. Both SWA-0 and SWA-5 are specified in the preprovisioned
configuration file with the role of routing-engine. All other members are specified with
the role of linecard.
If all member switches could be interconnected with their dedicated VCPs, you could
simply power on the switches after saving and committing the preprovisioned
240
configuration file. The master detects the connection of the members through the
dedicated VCPs and applies the parameters specified in the preprovisioned
configuration file.
However, the Virtual Chassis cables that interconnect the VCPs of member switches
within a single wiring closet are not long enough to connect member switches across
wiring closets. Instead, you can configure the uplink module ports and the SFP
networks ports on EX4200-24F switches as VCPs to interconnect the member switches
in wiring closet A to the member switch in wiring closet B. For redundancy, this
example connects uplink VCPs from two member switches in wiring closet A (SWA0
and SWA2) to two member switches (SWA-5 and SWA-7) in wiring closet B.
NOTE: You can use interfaces on SFP, SFP+, and XFP uplink modules and the SFP
network ports on EX4200-24F switches as VCPs. When an uplink module port or
SFP network port is set as a VCP, it cannot be used for any other purpose. The SFP
uplink module has four 1-Gbps ports; the SFP+ uplink module has four 1-Gbps or
two 10-Gbps ports; the XFP uplink module has two 10-Gbps ports. The uplink module
ports that are not set as VCPs can be configured as trunk ports to connect to a
distribution switch.
Because this particular preprovisioned configuration is for a Virtual Chassis that is
interconnected across wiring closets, we will bring up the Virtual Chassis configuration
in stages. First, we power on SWA-0 (without powering on any other switches) and
create the preprovisioned configuration file. Then we power on the remaining switches
in wiring closet A. If we check the status of the Virtual Chassis configuration at this
point by using the show virtual-chassis status command, it will display only member
0 through member 4. The members that have not yet been interconnected will not
be listed.
Next power on SWA-5 without powering on the remaining switches (SWA-6 through
SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its
uplinks as a VCP prior to interconnecting it with the Virtual Chassis configuration in
wiring closet A. Without this setting, SWA-5 cannot be detected as a member switch
by the master of the Virtual Chassis configuration.
You can set the uplink VCP of SWA5 without running the EZSetup program by
directly connecting to the console port. If you wish, you can run the EZSetup program
and specify identification parameters. When you interconnect SWA-5 with the master
of the Virtual Chassis configuration, the master overwrites any conflicting parameters.
After setting the VCP in SWA-5, connect this VCP with the VCP of SWA-0 in wiring
closet A. SWA-5 (serial number pqr678) is specified as a routing-engine in the
preprovisioned configuration file.
This example uses SWA-5 as the backup of the Virtual Chassis configuration. If a
problem occurred in wiring closet A, SWA-5 would take control of the Virtual Chassis
configuration and maintain the network connections. Specify both SWA-0 and SWA-5
as routing-engine. Because SWA-0 is powered on prior to SWA-5, it has additional
prioritization properties that cause it to be elected as master of the Virtual Chassis
configuration.
241
After being physically interconnected with SWA-0, SWA-5 reboots and comes up as
member 5 and as the backup of the Virtual Chassis configuration.
Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The
master can now detect that all members are present. Finally, for redundancy,
configure an additional VCP on SWA-7 through the master.
The topology for this example consists of:
Three EX4200-48P switches (SWA-0 , SWA-2, and SWA-4) in wiring closet A.
Two EX4200-48P switches (SWA-5 and SWA-9) in wiring closet B.
Two EX4200-24T switches (SWA-1 and SWA-3) in wiring closet A.
Three EX4200-24T switches (SWA-6, SWA-7, and SWA-8) in wiring closet B.
Four XFP uplink modules. Two are installed in wiring closet A and two are
installed in wiring closet B.
Table 43 on page 242 shows the Virtual Chassis configuration settings for a
preprovisioned Virtual Chassis composed of member switches in different wiring
closets.
Table 43: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch
Serial number
Member ID
Role
Uplink Module
Ports
Hardware
Location
SWA-0
abc123
routing-engine
xe-0/1/0
EX4200-48P
and XFP uplink
module
Wiring closet A
SWA-1
def456
linecard
EX4200-24T
Wiring closet A
SWA-2
ghi789
linecard
EX4200-48P
and XFP uplink
module
Wiring closet A
SWA-3
jkl012
linecard
EX4200-24T
Wiring closet A
SWA-4
mno345
linecard
EX4200-48P
Wiring closet A
SWA-5
pqr678
routing-engine
EX4200-48P
and XFP uplink
module
Wiring closet B
EX4200-24T
Wiring closet B
EX4200-24T
and XFP uplink
module
Wiring closet B
xe-2/1/0
xe-0/1/0
NOTE: The
member ID of
SWA-5 is 0 at
the time that its
uplink module
port is
configured as a
VCP.
SWA-6
stu901
linecard
SWA-7
vwx234
linecard
242
xe-7/1/0
Table 43: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring
Closets (continued)
Switch
Serial number
Member ID
Role
SWA-8
yza567
SWA-9
bcd890
Uplink Module
Ports
Hardware
Location
linecard
EX4200-24T
Wiring closet B
linecard
EX4200-48P
Wiring closet B
Figure 21 on page 244 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink module ports that have been set as VCPs and
interconnected across the wiring closets. The uplink module ports that are not set
as VCPs can be configured as trunk ports to connect to a distribution switch.
NOTE: The interconnections shown in Figure 21 on page 244 are the same as they
would be for a configuration that was not preprovisioned across wiring closets.
243
Figure 21: Maximum Size Virtual Chassis Interconnected Across Wiring Closets
Configuration
To configure the Virtual Chassis across multiple wiring closets using a preprovisioned
configuration:
244
Configuration
To create a preprovisioned configuration for the Virtual Chassis:

1.
Specify the preprovisioned configuration mode:

user@SWA0# set preprovisioned
2.
Specify all the members that will be included in the Virtual Chassis configuration,
listing each switch's serial number with the desired member ID and the desired
role:
user@SWA0# set member
user@SWA-0# set member
0
1
2
3
4
5
6
7
8
9
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890
role
role
role
role
role
role
role
role
role
role
routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard
3.
Power on the member switches in wiring closet A.
4.
switches in wiring closet B by setting uplink VCPs for member 0 and member
2:
2
NOTE:
For redundancy, this example sets an uplink VCP in both SWA-0 and SWA-2.
5.
This example omits the specification of the member 0 in setting the uplink for
SWA-0. The command applies by default to the switch where it is executed.
Power on SWA-5 and connect to it. This switch comes up as member ID 0 and
functions as master of itself. Although SWA-5 is listed in the preprovisioned
configuration file, it is not a present member of the Virtual Chassis configuration
that has been powered on thus far. In order for the master to detect SWA-5 as
a connected member, you must first set an uplink VCP on SWA-5 and
interconnect that VCP with the uplink VCP of SWA-0.
Configuration
245
Set the first uplink of SWA-5 to function as a VCP. Because SWA-5 has been
powered on as a separate switch and is still operating independently at this
point, its member ID is 0.
6.
NOTE: This example omits the specification of the member 0 in configuring the
uplink for SWA-5 (at this point the member ID of SWA-5 is still 0). The command
applies by default to the switch where it is executed.
7.
Power off SWA-5 and connect the fiber cable from SWA-5 uplink VCP xe-0/1/0
to the uplink VCP xe-0/1/0 on SWA-0.
8.
Power on SWA-5.
9.
Now that SWA-5 has been brought up as member 5 of the Virtual Chassis
configuration, power on the remaining switches (SWA-6 through SWA-9) in
wiring closet B. They are interconnected with SWA-5 using the dedicated VCPs
on the rear panel and are therefore detected by the master as interconnected
members. If you check the status of the Virtual Chassis configuration at this
point, all the members that were specified in the preprovisioned configuration
file should be displayed as present. Additional configuration for member switches
can now be done through the master switch.
10.
Set one uplink module port of SWA-7 to function as a VCP:

member 7
Results

[edit]
user@SWA-0# show
virtual-chassis {
member 0 {
role routing-engine;
serial-number abc123;
}
member 1 {
role linecard;
serial-number def456;
}
member 2 {
role linecard;
serial-number ghi789;
}
member 3 {
role linecard;
serial-number jkl012;
}
246
Configuration
member 4 {
role linecard;
serial-number mno345;
}
member 5 {
role routing-engine;
serial-number pqr678;
}
member 6 {
role linecard;
serial-number stu901;
}
member 7 {
role linecard;
serial-number vwx234;
}
member 8 {
role linecard;
serial-number yza567;
}
member 9 {
role linecard;
serial-number bcd890;
}
preprovisioned;
}
Verification
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 248

Purpose
Action
Verify that the member IDs and roles are all set as expected.
Preprovisioned Virtual Chassis
Virtual Chassis ID: 0000.e255.0000
Mastership
Priority Role
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
129
1 (FPC 1)
Prsnt
def456
ex4200-24t
2 (FPC 2)
Prsnt
ghi789
ex4200-48p
Neighbor List
ID Interface
Master*
1
4
5
vcp-0
vcp-1
1/0
Linecard
2
0
vcp-0
vcp1
Linecard
vcp-0
Verification
247
Meaning
1
7
vcp-1
1/0
3 (FPC 3)
Prsnt
jkl012
ex4200-24t
Linecard
4
2
vcp-0
vcp-1
4 (FPC 4)
Prsnt
mno345
ex4200-48p
Linecard
0
3
vcp-0
vcp-1
FPC 5)
Prsnt
pqr678
ex4200-48p
129
Backup
6
9
0
vcp-0
vcp-1
1/0
6 (FPC 6)
Prsnt
stu901
ex4200-24t
Linecard
7
5
vcp-0
vcp-1
7 (FPC 7)
Prsnt
vwx234
ex4200-24t
Linecard
8
6
2
vcp-0
vcp-1
1/0
8 (FPC 8)
Prsnt
yza567
ex4200-24t
Linecard
9
7
vcp-0
vcp-1
9 (FPC 9)
Prsnt
bc7890
ex4200-48p
Linecard
5
8
vcp-0
vcp-1
The output shows that all members listed in the preprovisioned configuration file are
connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0)
is functioning as the master of the Virtual Chassis configuration, which was the
intention of the configuration procedure. The other switch configured with the
routing-engine role (SWA-5) is functioning as the backup. The Neighbor List displays
the interconnections of the member VCPs.
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches within each
wiring closet and the uplink module VCPs interconnecting the member switches
across wiring closets are operational.
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
248
vcp-0
vcp-1
Dedicated
Dedicated
Up
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc5:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc6:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc7:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc8:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
249
fpc9:
-------------------------------------------------------------------------Interface
Type
Status
Speed
Neighbor
or
(mbps)
ID
Interface
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
Meaning
The dedicated VCPs interconnecting the member switches within wiring closets are
displayed as vcp-0 and vcp-1. The uplink module VCPs interconnecting member
switches (members 0, 2, 5, and 7) across wiring closets are displayed as 1/0 and
1/1 and identified as Configured.
Troubleshooting
To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected
across wiring closets, perform these tasks:

Problem
A VCP shows a status of down.
Solution
Check the cable to make sure that it is properly and securely connected to the ports.
Related Topics


Closets on page 219
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When
a Virtual Chassis Member Switch or Inter-Member Link Fails
that automatically reroutes traffic and reduces traffic loss in the event of a link or
switch failure. If a link between two members fails, traffic flow between those
Fast failover is enabled by default on all dedicated Virtual Chassis ports (VCPs).
This example describes how to configure fast failover on uplink module VCPs in a
250
Troubleshooting
Requirements
Six EX4200-24T switches
Four SFP uplink modules
Before you begin configuring fast failover, be sure you have:

1.
Mounted the switches. See Mounting an EX3200 or EX4200 Switch on Two Posts
in a Rack or Cabinet, Mounting an EX3200 or EX4200 Switch on a Desk or Other
Level Surface, or Mounting an EX3200 or EX4200 Switch on a Wall.
2.
Cabled the switches in a multiple-ring topology to create the Virtual Chassis

configuration. See Connecting a Virtual Chassis Cable to an EX4200 Switch and
Closets on page 219. See Figure 15 on page 197 for an illustration of a multiple-ring
topology.

In a Virtual Chassis configuration, fast failover automatically reroutes traffic and
reduces traffic loss in the event of a link failure or a member switch failure. By default,
fast failover is enabled on all dedicated Virtual Chassis ports (VCPs). If you configure
uplink module ports as VCPs, you must manually configure fast failover on these
ports.
For fast failover to be effective, the Virtual Chassis members must be configured in
a ring topology. The ring topology can be formed by using either dedicated Virtual
Chassis ports (VCPs) or user-configured uplink module VCPs. Fast failover is supported
only in a ring topology that uses identical port types, for example, either a topology
that uses all dedicated VCPs or one that uses all uplink module VCPs. Fast failover
is not supported in a ring topology that includes both dedicated VCPs and uplink
module VCPs. Fast failover is supported, however, in a Virtual Chassis configuration
that consists of multiple rings.
Figure 15 on page 197 shows an example of a multiple-ring topology.
Requirements
251
Figure 22: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology
with Multiple Rings
This example shows how to enable fast failover on uplink module VCPs.
The topology for this example consists of six switches:
Six EX4200-24T switches, four of which have an SFP uplink module installed
(switches 1, 3, 4, and 6)
Configuration
To configure the fast failover feature on uplink module VCPs:
252
Configuration
To configure fast failover on all SFP uplink module VCPs, copy the following command
and paste it into the terminal window on switch 1:
[edit]
set virtual-chassis fast-failover ge
To configure fast failover on SFP uplink module VCPs:

1.
Enable fast failover on all SFP uplink module VCPs in the Virtual Chassis
configuration:
[edit]
user@switch1# set virtual-chassis fast-failover ge
Results
Check the results of the configuration:

user@switch1# show
fast-failover {
ge;
}
Verification
To confirm that fast failover is enabled on SFP uplink module VCPs in the Virtual
Chassis configuration, perform these tasks:
Verifying That Fast Failover Is Enabled on page 253
Verifying That Fast Failover Is Enabled

Purpose
Action
Verify that fast failover has been enabled in a Virtual Chassis configuration.
1.
Issue the show virtual-chassis fast-failover command.
2.
Check to see that fast failover is enabled.
user@switch1> show virtual-chassis fast-failover
Fast failover on dedicated VCP ports: Enabled

Fast failover on XE uplink VCP ports: Disabled
Fast failover on GE uplink VCP ports: Enabled
Meaning
Fast failover is enabled on all dedicated VCPs and SFP uplink module VCPs in the
Verification
253
Related Topics
Configuring Fast Failover in a Virtual Chassis Configuration on page 281
Disabling Fast Failover in a Virtual Chassis Configuration on page 282
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual

Chassis Merge
You can explicitly assign a Virtual Chassis ID so that, when two Virtual Chassis
configurations merge, the ID that you assigned takes precedence over the
automatically assigned Virtual Chassis IDs and becomes the ID of the newly merged
This example describes how to assign the Virtual Chassis ID in a Virtual Chassis
configuration:
Requirements
Two EX4200-24T switches

1.
Installed the switches. See Mounting an EX3200 or EX4200 Switch on Two Posts
in a Rack or Cabinet, Mounting an EX3200 or EX4200 Switch on a Desk or Other
Level Surface, or Mounting an EX3200 or EX4200 Switch on a Wall.
2.
Cabled the switches to create the Virtual Chassis configuration. See Connecting
a Virtual Chassis Cable to an EX4200 Switch.

when the Virtual Chassis configuration is formed. You can also configure a Virtual
Chassis ID using the set virtual-chassis id command. When two Virtual Chassis merge,
the Virtual Chassis ID that you assigned takes precedence over the automatically
assigned Virtual Chassis IDs and becomes the ID for the newly merged Virtual Chassis
configuration.
254
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge
The topology for this example consists of four switches:
Two EX4200-24T switches
The switches are connected as a four-member Virtual Chassis configuration and are
identified as switch-A, switch-B, switch-C, and switch-D. The master is switch-A.
Configuration
Assign the Virtual Chassis ID in a Virtual Chassis configuration:
To assign a Virtual Chassis ID so that, when two Virtual Chassis configurations merge,
the ID that you assigned takes precedence over the automatically assigned Virtual
Chassis IDs and becomes the ID of the newly merged Virtual Chassis configuration,
copy the following command and paste it into the terminal window:
[edit]
set virtual-chassis id 9622.6ac8.5345
To assign the Virtual Chassis ID in a Virtual Chassis configuration:

1.
Assign the Virtual Chassis ID:

[edit]
user@switch-A# set virtual-chassis id 9622.6ac8.5345
Verification
To verify that the Virtual Chassis ID has been assigned as you intended, perform
these tasks:
Verifying That the Virtual Chassis ID Is Assigned on page 255
Verifying That the Virtual Chassis ID Is Assigned

Purpose
Action
Verify that the Virtual Chassis ID has been assigned in a Virtual Chassis configuration.
1.
Issue the show configuration virtual-chassis id command.
2.
Check to see that the Virtual Chassis ID number is listed.
user@switch-A> show configuration virtual-chassis id

id 9622.6ac8.5345;
Meaning
The Virtual Chassis ID has been assigned as 9622.6ac8.5345.
Configuration
255
Related Topics

You can form link aggregation groups (LAGs) between Virtual Chassis member
switches in different wiring closets using uplink Virtual Chassis ports (VCPs) and, on
EX4200-24F switches, network VCPs. LAGs balance traffic across the member links,
increase the uplink bandwidth, and provide increased availability. To form LAGs
using uplink or network VCPs, you configure the uplink module interfaces or network
interfaces on the member switches as VCPs and connect the VCPs using fiber-optic
cables. For the LAGs to form, the uplink or network VCPs on each member switch
that will form a LAG must operate at the same link speed and you must interconnect
at least two uplink or network VCPs on each of those members. You can connect
uplink or network VCPs operating at different link speeds, but they will not form a
LAG.
NOTE: The LAGs formed by VCPs are different from LAGs formed by Virtual Chassis
network interfaces. For more information on LAGs formed by network interfaces,
see Understanding Virtual Chassis Configurations and Link Aggregation on page
188.
This example shows how to configure uplink module interfaces and network interfaces
as VCPs on multiple member switches of a Virtual Chassis configuration and then
connect them to form LAGs:
Requirements
256
Five EX4200 switches, one of which is an EX4200-24F model
Two SFP uplink modules
Two XFP uplink modules
Before you configure the uplink module interfaces and network interfaces on Virtual
Chassis member switches as VCPs and interconnect the members to form a LAG, be
sure you have:
1.
Installed the SFP uplink modules in the SWA-0 and SWA-2 switches and installed
the XFP uplink modules in the SWA-1 and SWA-3 switches. See Installing an
Uplink Module in an EX3200 or EX4200 Switch.
2.
Powered on SWA-0, connected it to the network, and run the EZSetup program.
3.
remote, out-of-band management of the Virtual Chassis configuration, if desired.
See Configuring the Virtual Management Ethernet Interface for Global
Management of a Virtual Chassis (CLI Procedure) on page 279.
4.
Ensured that SWA-1 is not powered on and then interconnected SWA-0 and
SWA-1 using the dedicated VCPs on the rear panel.
NOTE: The interfaces for the dedicated VCPs are operational by default. They do
not need to be configured.
5.
Ensured that SWA-2, SWA-3, and SWA-4 are not powered on. They are not
connected in any way, so when initially powered up they will be standalone
switches.

In this example, five EX4200 switches will be interconnected to form LAGs for ease
of monitoring and manageability. Two of these switches (SWA-0 and SWA-1) are
located in wiring closet A and the three others (SWA-2, SWA-3, and SWA-4) are
located in wiring closet B. SWA-0 will form one LAG with SWA-2 and another LAG
with SWA-4, and SWA-1 will form a LAG with SWA-3.
We will use fiber-optic cables connected to the uplink and network VCPs to
interconnect the member switches in wiring closet A to the member switches in
wiring closet B.
We will specify the highest mastership priority value (255) for SWA-0 to make it the
master before we power on SWA-1. Because SWA-0 and SWA-1 are interconnected
with the dedicated VCPs, the master detects that SWA-1 is a member of its Virtual
Chassis configuration and assigns it a member ID.
We will use SWA-2 as the backup of the Virtual Chassis configuration. We will
configure the same mastership priority value for SWA-2 (255) that we configured for
the master. Because we power on SWA-0 before we power on SWA-2, SWA-0 retains
mastership of the Virtual Chassis configuration.
257
NOTE: We recommend setting identical mastership priority values for the master
and backup members for high availability and smooth transition of mastership in
case the original master becomes unavailable.
We will configure the uplink module interfaces on three of the switches as uplink
VCPs. On the EX4200-24F switch we will configure two of the network interfaces as
VCPs. We will interconnect two of the SFP uplink VCPs on SWA-0 with two of the
SFP uplink VCPs on SWA-2. Similarly, we will interconnect the two XFP uplink VCPs
on SWA-1 with the two XFP uplink VCPs on SWA-3. Finally, we will connect the two
remaining SFP uplink VCPs on SWA-0 with two network VCPs on SWA-4. As a result,
three LAGs will be automatically formed.
Figure 19 on page 222 shows the interconnections used to form LAGs using uplink
VCPs and the network VCPs after the procedure below has been completed.
Figure 23: Virtual Chassis Interconnected Across Wiring Closets to Form LAGs
258
Configuration
To configure the Virtual Chassis uplink module interfaces and network interfaces as
uplink VCPs and interconnect them between two wiring closets to form LAGs, perform
these tasks:
To configure a Virtual Chassis across multiple wiring closets and interconnect them
to form LAGs:
1.

value (255), thereby ensuring that it functions as the master of the expanded
2.
Power on SWA-1.
3.
switches in wiring closet B by setting all of the SFP uplink module interfaces on
SWA-0 and two of the uplink module interfaces on SWA-1 as uplink VCPs:
user@SWA-0>
user@SWA-0>
user@SWA-0>
user@SWA-0>
user@SWA-0>
1
user@SWA-0>
1
request virtual-chassis vc-port set pic-slot

request virtual-chassis vc-port set
1 port 0
pic-slot
pic-slot
pic-slot
pic-slot
1
1
1
1
port
port
port
port
1
2
3
0 member
request virtual-chassis vc-port set pic-slot 1 port 1 member
NOTE: This example omits the specification of the member member-id option in
configuring the uplink VCPs for SWA-0 (and, later, for SWA-2). The command applies
by default to the switch where it is executed.
4.
Power on SWA-2.
5.
If SWA-2 was previously configured, revert to the factory default configuration.
6.
Prepare SWA-2 in wiring closet B by configuring its mastership priority to be

the highest possible value (255). Its member ID is currently 0, because it is not
yet interconnected with the other members of the Virtual Chassis configuration.
It is operating as a standalone switch. Its member ID will change when it is
interconnected.
Configuration
259
NOTE: SWA-2 is configured with the same mastership priority value that we
configured for SWA-0. However, the longer uptime of SWA-0 ensures that, once the
interconnection is made, SWA-0 functions as the master and SWA-2 functions as the
backup.
7.
Specify two of the SFP uplink module interfaces in SWA-2 as uplink VCPs. The
member IDs are 0, because they are not yet interconnected with the other
members of the Virtual Chassis configuration:
NOTE: The setting of the uplink VCPs remain intact when SWA-2 reboots and joins
the Virtual Chassis configuration as member 2.

8.
Power down SWA-2.
9.
Physically interconnect SWA-0 and SWA-2 across wiring closets using two of
the uplink VCPs on each switch.
10.
Power on SWA-2. SWA-2 joins the Virtual Chassis configuration and a LAG is
automatically formed between SWA-0 and SWA-2. In addition, although SWA-0
and SWA-2 have the same mastership priority value (255), SWA-0 was powered
on first and thus has longer uptime. This results in SWA-0 retaining mastership
while SWA-2 reboots and joins the now expanded Virtual Chassis configuration
as the backup, with member ID 2.
11.
Power on SWA-3.
12.
13.
Specify both XFP uplink module interfaces in SWA-3 as uplink VCPs:

14.
Power down SWA-3.
15.
Physically interconnect SWA-3 with SWA-2 using their dedicated VCPs.
16.
uplink VCPs.
17.
Power on SWA-3. It joins the Virtual Chassis configuration as member 3.
NOTE: Member ID 3 is assigned to SWA-3 because SWA-3 was powered on after

members 0, 1, and 2.
260
Configuration
A LAG is automatically formed between SWA-1 and SWA-3. In addition, both

SWA-1 and SWA-3 have the default mastership priority value (128) and function
in a linecard role.
18.
Power on SWA-4.
19.
20.
Configure two of the network interfaces on SWA-4 as uplink VCPs:

Results
21.
Power down SWA-4.
22.
Physically interconnect SWA-4 and SWA-0 across wiring closets using the
network VCPs on SWA-4 and the two remaining SFP uplink VCPs on SWA-0.
23.
Power on SWA-4. A LAG is automatically formed between SWA-4 and SWA-0.

In addition, SWA-4 joins the Virtual Chassis configuration in the linecard role.

user@SWA-0> show configuration virtual-chassis
member 0 {
}
member 1 {
}
member 2 {
}
member 3 {
}
member 4 {
}
}
Verification

Purpose
Action
Verification
261

Meaning
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1
1
2
2
4
4
vcp-0
vcp-1
vcp-255/1/0
vcp-255/1/1
vcp-255/0/20
vcp-255/0/21
1 (FPC 1)
Prsnt
def456
ex4200-24t
128
Linecard
0
0
3
3
vcp-0
vcp-1
vcp255/1/0
vcp255/1/1
2 (FPC 2)
Prsnt
ghi789
ex4200-48p
255
Backup
3
3
0
0
vcp-0
vcp-1
vcp-255/1/0
vcp-255/1/1
3 (FPC 3)
Prsnt
jkl012
ex4200-24t
128
Linecard
2
2
1
1
vcp-0
vcp-1
vcp255/1/0
vcp255/1/1
4 (FPC 4)
Prsnt
mno345
ex4200-24f
128
Linecard
0 vcp-255/1/2
0 vcp-255/1/3
in a Virtual Chassis configuration with the member IDs that have been assigned by
members with which each member is interconnected by the dedicated VCPs, by
uplink VCPs, and by network VCPs.

Purpose
Action
Verify that the dedicated VCPs interconnecting member switches in wiring closets
A and B and the uplink and network VCPs interconnecting the member switches
between wiring closets are operational.
fpc0:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
1
vcp-0
vcp-1
Dedicated
2
Up
32000
1
vcp-1
1/0
Configured
3
Up
1000
2
vcp-255/1/0
262
1/1
1/2
1/3
Configured
Configured
Configured
3
4
4
Up
Up
Up
1000
1000
1000
2
4
4
vcp-255/1/1
vcp-255/0/20
vcp-255/0/21
fpc1:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
0
vcp-0
vcp-1
Dedicated
2
Up
32000
0
vcp-1
1/0
Configured
3
Up
10000
3
vcp-255/1/0
1/1
Configured
3
Up
10000
3
vcp-255/1/1
fpc2:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
3
vcp-0
vcp-1
Dedicated
2
Up
32000
3
vcp-1
1/0
Configured
3
Up
1000
0
vcp-255/1/0
1/1
Configured
3
Up
1000
0
vcp-255/1/1
1/2
1
Down
1000
1/3
1
Down
1000
fpc3:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
2
vcp-0
vcp-1
Dedicated
2
Up
32000
2
vcp-1
1/0
Configured
3
Up
10000
1
vcp-255/1/0
1/1
Configured
3
Up
10000
1
vcp-255/1/1
fpc4:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Down
32000
vcp-1
Dedicated
2
Down
32000
0/20
Configured
3
Up
1000
0
vcp-255/1/2
0/21
Configured
3
Up
1000
0
vcp-255/1/3
Meaning
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplink module interfaces
that have been set as uplink VCPs are displayed as 1/0, 1/1, 1/2, and 1/3. The
network interfaces that have been set as VCPs are displayed as 0/20 and 0/21. The
neighbor interface names of uplink and network VCPs are of the form
vcp-255/pic/portfor example, vcp-255/1/0. In that name, vcp-255 indicates that
the interface is a VCP, 1 is the uplink PIC number, and 0 is the port number. The fpc
number is the same as the member ID. The trunk ID is a positive number ID assigned
to the LAG formed by the Virtual Chassis. If no LAG is formed, the value is 1.
263
NOTE: Each switch assigns the trunk IDs to its local interfaces. As a result, the pair
of interfaces that form one end of a LAG on one switch will have the same trunk ID,
and the pair of interfaces that form the other end of the LAG will have the same trunk
ID, but the trunk IDs on either end of the LAG might be different. For example, in
Figure 19 on page 222, the uplink VCPs 1/2 and 1/3 on SWA-0 form a LAG with the
network VCPs 0/20 and 0/21 on SWA-4. Uplink VCPs 1/2 and 1/3 on SWA-0 both
have trunk ID 4, while network VCPs 0/20 and 0/21 on SWA-4 both have trunk ID
3. The trunk IDs are different between the switches because SWA-0 assigns the trunk
IDs for its local uplink VCPs and SWA-4 assigns the trunk IDs for its local VCPs.
Troubleshooting
To troubleshoot a Virtual Chassis configuration that is interconnected across wiring
closets, perform this task:

Problem
An uplink VCP shows a status of down.
Solution
Check the cable to make sure that it is properly and securely connected to the
interfaces.
If the VCP is an uplink module interface, make sure that it has been explicitly
set as an uplink VCP.
If the VCP is an uplink module interface, make sure that you have specified the
options (pic-slot, port, and member) correctly.


on page 208

276
154
Related Topics
264
Troubleshooting
Chapter 16
Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 274
Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page 276

Address, as Master of Virtual Chassis (CLI Procedure) on page 280

Disabling Split and Merge in a Virtual Chassis Configuration (CLI

Configuring a Virtual Chassis (CLI Procedure)

To take advantage of the scalability features of EX4200 switches, you can configure
a Virtual Chassis that includes up to 10 member switches. You can interconnect the
member switches using the dedicated Virtual Chassis ports (VCPs) on the back of
the switch. You do not have to configure the interface for the dedicated VCPs. If you
want to interconnect member switches that are located in different racks or wiring
closets, interconnect them using uplinks configured as VCP interfaces. See Setting
an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page 276.
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
A Virtual Chassis can be configured with either:
Configuring a Virtual Chassis (CLI Procedure)
265
preprovisioned configurationAllows you to deterministically control the member

ID and role assigned to a member switch by tying it to its serial number.
nonprovisioned configurationThe master sequentially assigns a member ID

to other member switches. The role is determined by the mastership priority
value and other factors in the master election algorithm.
Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 266
Configuring a Virtual Chassis with a Nonprovisioned Configuration File on page 267
Configuring a Virtual Chassis with a Preprovisioned Configuration File

To configure a Virtual Chassis using a preprovisioned configuration:
1.
Make a list of the serial numbers of all the switches to be connected in a Virtual
2.
Note the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role, it is not eligible to
become a master or backup.
3.
Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).
4.
Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.
5.

79 for details.
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the member listed in the preprovisioned configuration
file.
6.
[edit]
7.
Specify the preprovisioned configuration mode:

user@SWA0# set preprovisioned
266
Configuring a Virtual Chassis with a Preprovisioned Configuration File
Chapter 16: Configuring Virtual Chassis
8.
Specify all the members that you want to included in the Virtual Chassis
configuration, listing each switchs serial number with the desired member ID
and the desired role:
user@SWA-0# set member
9.
0
1
2
3
4
5
6
7
8
9
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890
role
role
role
role
role
role
role
role
role
role
routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard
Power on the member switches.
NOTE: You cannot modify the mastership-priority when you are using a preprovisioned
configuration. The mastership priority values are generated automatically and
controlled by the role that is assigned to the member switch in the configuration file.
The two routing engines are assigned the same mastership priority value. However,
the member that was powered on first has higher prioritization according to the
master election algorithm. See Understanding How the Master in a Virtual Chassis
Configuration Is Elected on page 184.
Configuring a Virtual Chassis with a Nonprovisioned Configuration File

To configure the Virtual Chassis using a nonprovisioned configuration:
1.
Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).
2.
Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.
3.

79 for details.
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the members interconnected through VCPs..
4.
Configuring a Virtual Chassis with a Nonprovisioned Configuration File
267
[edit]
5.
Configure mastership priority for the master, backup, and other members, if
desired:
user@SWA0# set member 0 mastership-priority 255
user@SWA0# set member 5 mastership-priority 255
6.
Power on the member switches in sequential order, one by one.
NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned
configuration is generated by default. The mastership priority value for each member
switch is 128. The master role is selected by default. You can change the role that
is performed by the members by modifying the mastership-priority. See Configuring
Mastership of the Virtual Chassis (CLI Procedure) on page 274. We recommend that
you specify the same mastership priority value for the desired master and backup
members. We have assigned the highest possible mastership priority to two members.
However, the member that was powered on first has higher prioritization according
to the master election algorithm. See Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 184. We have allowed the other members
to use the default mastership priority, which qualifies them to function in the role of
linecard.
NOTE: If you want to change the member ID that the master has assigned to a
member switch, use the request virtual-chassis renumber command.
Related Topics
276
Monitoring Virtual Chassis Configuration Status and Statistics on page 291
Configuring a Virtual Chassis (J-Web Procedure)

To take advantage of the scalability features of EX4200 switches, you can configure
a Virtual Chassis that includes up to 10 member switches. You can interconnect the
member switches using the dedicated Virtual Chassis ports (VCPs) on the back of
the switch. You do not have to configure the interface for the dedicated VCPs. If you
want to interconnect member switches that are located in different racks or wiring
closets, interconnect them using uplinks configured as VCP interfaces. See Setting
an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page 276.
To configure a Virtual Chassis using the J-Web interface:
268
1.
From the Configure menu, select the option Virtual Chassis.
NOTE: The Virtual Chassis option is not available for EX3200 switches.
2.
The properties you can configure are displayed .

The first section of the Virtual Chassis configuration page displays the Virtual
Chassis member configuration. the display includes a list of member switches,
their member IDs, and the mastership priority.
The second section displays the operational status of the Virtual Chassis
configuration, member details, and the dedicated and configured Virtual Chassis
ports (VCPs).
3.
Enter information into the page as described in Table 44 on page 269.
4.
Click one:
Add To add a member's configuration to the Virtual Chassis configuration,

click Add.
Edit To modify an existing member's configuration, click Edit.
Delete To delete the configuration of a member, click Delete.
5.
To configure an uplink as a VCP, select the member in the Virtual Chassis

members list and select Action > Select Uplink Port as VCP. Select the port from
the list.
6.
To delete an uplink VCP from a member, select the member in the Virtual Chassis
members list and select Action > Delete Uplink Port as VCP.
Table 44: Virtual Chassis Configuration Fields

Field
Function
Your Action
Member ID
Specifies the identifier for the member switch. The

master switch assigns member IDs.
Select an identifier from the list. Select an

ID from 0 through 9.
Priority
Specifies the mastership priority to be assigned to the

member.
Select a number from 1 through 255, with

255 being the highest priority (128 is the
default).
Disable
Management VLAN
If you want to reserve an individual member's

management Ethernet port for local troubleshooting, you
can remove that port from being part of the Virtual
Management Ethernet (VME).
Click to disable management VLAN on the

port.
Refresh
Refreshes the operational status of Virtual Chassis

members.
Click to refresh the operational status.
Member Details
269
Related Topics


Closets on page 219
Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure)

You can add one or more EX4200 switches to an existing Virtual Chassis configuration.
Up to ten EX4200 switches can be included within a Virtual Chassis configuration.
You can add the new switches to either typenonprovisioned or preprovisionedof
Virtual Chassis configuration. See Configuring a Virtual Chassis (CLI Procedure) on
page 265 for descriptions of these types.
To add a switch to an existing Virtual Chassis configuration, use the procedure that
matches what you need to accomplish:
Adding a New Switch to an Existing Virtual Chassis Configuration Within the

Same Wiring Closet on page 270
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis
Adding a New Switch to an Existing Preprovisioned Virtual Chassis Configuration

Using Autoprovisioning on page 273
Adding a New Switch to an Existing Virtual Chassis Configuration Within the Same Wiring
Closet
270
Mounted the new switch in a rack.
Confirmed that the new switch is powered off.
If you are expanding a preprovisioned configuration, made a note of the serial

number (on the back of the switch). You will need to edit the Virtual Chassis
configuration to include the serial number of the new member switch.
If you are expanding a preprovisioned configuration, edited the existing Virtual

Chassis configuration to include the serial number of the new member switch.
You can specify the role of the new member switch when you add its serial
number in the Virtual Chassis configuration file. The parameters specified in the
master Virtual Chassis configuration file are applied after the new member switch
has been interconnected to an existing member switch.
To add a new member switch to an existing Virtual Chassis configuration within the
same wiring closet:
1.
If the new member switch has been previously configured, revert that switchs
configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX Series Switch on page 154.
2.
Interconnect the unpowered new switch to at least one member of the existing
Virtual Chassis configuration using the dedicated Virtual Chassis ports (VCPs).
3.
Power on the new switch.
4.
Confirm that the new member switch is now included within the Virtual Chassis
configuration by checking the front-panel display for the member ID. It should
display a member ID that is higher than 0 (1 through 9), because there is already
at least one member of the Virtual Chassis configuration.
NOTE: If you are using a preprovisioned configuration, the member ID is automatically

assigned to the members serial number in the configuration file.
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis
Configuration
To add a new switch from a different wiring closet to an existing Virtual Chassis
configuration, you must use a long cable to connect the new member switch across
wiring closets. You can use a port on an SFP, SFP+ or XFP uplink module, or an SFP
network port on an EX4200-24F switch, and a fiber-optic cable for this purpose.
Installed the uplink modules needed for the Virtual Chassis configuration.
If the new member switch has been previously configured, reverted its
configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX Series Switch on page 154.
Powered on the new member switch as a standalone switch and configured its
uplink module ports as VCPs. Otherwise, it cannot be recognized as a member
switch by the master.
If you are expanding a preprovisioned configuration, made a note of the serial

number (on the back of the switch). You will need to edit the Virtual Chassis
configuration to include the serial number of the new member switch.
If you are expanding a preprovisioned configuration, edited the existing Virtual

Chassis configuration to include the serial number of the new member switch.
You can specify the role of the new member switch when you add its serial
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
271
number in the Virtual Chassis configuration file. The parameters specified in the
master Virtual Chassis configuration file are applied after the new member switch
has been interconnected with its uplink VCP to an existing member switch.
Confirmed that the new, currently standalone switch is powered off.
Prepared an existing member switch for interconnecting with the new switch
through an uplink module port by configuring an uplink module port as a VCP
on the existing member switch.
To add a new member switch that is going to be interconnected with the existing
Virtual Chassis configuration across wiring closets:
1.
Power on the new switch.
2.
Connect a laptop or terminal to the console port of the switch, or use EZSetup
on the standalone switch to specify temporary identification parameters. (When
you interconnect the new member switch with the existing Virtual Chassis
configuration, the master will overwrite and disable any specified parameters
that conflict with the Virtual Chassis parameters or assigned member
configuration.)
3.
Use the CLI or the J-Web interface to set the uplink module ports as VCPs.
NOTE: If you are using a nonprovisioned configuration, you might configure the new
member switch with a mastership priority value that is less than that of the existing
member switches. Doing so ensures that the new member switch will function in a
linecard role when it is included within the Virtual Chassis configuration.
4.
Power off the new switch.
5.
Interconnect the new member switch to at least one member of the existing
Virtual Chassis configuration using the uplink module ports on each of the
switches that have been configured as VCPs.
6.
Power on the new member switch.
7.
Confirm that the new member switch is now included within the Virtual Chassis
display a member ID that is higher than 0 (1 through 9), because there is already
at least one member of the Virtual Chassis configuration.
NOTE: If you are using a preprovisioned configuration, the member ID is automatically

assigned to the member's serial number in the configuration file.
272
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
Adding a New Switch to an Existing Preprovisioned Virtual Chassis Configuration Using

Autoprovisioning
Installed the uplink modules needed for the Virtual Chassis configuration.
Ensured that the preprovisioned Virtual Chassis configuration has an active

master. For more information, see Example: Configuring a Virtual Chassis Using
a Preprovisioned Configuration File on page 239.
On the master, configured the Link Level Discovery Protocol (LLDP) on the uplink
module ports that will be used as VCPs. LLDP is configured by default but might
have been disabled. To configure LLDP, see Configuring LLDP (CLI Procedure)
on page 957 or Configuring LLDP (J-Web Procedure) on page 958.
Ensured that the new member switch has the factory-default configuration. If
the new member switch has been previously configured, revert its configuration
to the factory defaults. See Reverting to the Default Factory Configuration for
the EX Series Switch on page 154.
Made a note of the serial number (on the back of the switch). You will need to
edit the Virtual Chassis configuration to include the serial number of the new
member switch.
Edited the existing Virtual Chassis preprovisioned configuration to include the

serial number of the new member switch. You can specify the role of the new
member switch when you add its serial number to the Virtual Chassis
configuration file. The parameters specified in the master Virtual Chassis
configuration file are applied to the new member switch after it has been
interconnected through its uplink VCP to an existing member switch.
Prepared an existing member switch to interconnect with the new switch through
an uplink module port by configuring an uplink module port as a VCP on the
existing member switch.
Ensured that the operational modes of the uplink modules on the existing member
switch and the new member switch match.
Confirmed that the new member switch is powered off.
Interconnected the existing switch with the new switch using the appropriate
cable.
If these conditions are not met, autoprovisioning will not work and you will need to
manually configure uplink module ports on the switch to be added to the configuration
to be VCPs. For more information, see Setting an Uplink Module Port as a Virtual
Chassis Port (CLI Procedure) on page 276.
To add a switch to an existing preprovisioned Virtual Chassis configuration using the
autoprovisioning feature:
1.
Power on the new member switch.
Adding a New Switch to an Existing Preprovisioned Virtual Chassis Configuration Using Autoprovisioning
273
Related Topics
2.
Confirm that the new member switch is now included in the Virtual Chassis
display a member ID in the range from 0 through 9 because there was already
at least one member of the Virtual Chassis configuration. The member ID is
automatically assigned to the new member switch's serial number in the
configuration file.

on page 208


Closets on page 219

File on page 239
Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure)

on page 292
154
Configuring Mastership of the Virtual Chassis (CLI Procedure)

You can designate the role (master, backup, or linecard) that a member switch
performs within a Virtual Chassis configuration whether or not you are using a
preprovisioned configuration.
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
Configuring Mastership Using a Preprovisioned Configuration File on page 274
Configuring Mastership Using a Configuration File That Is Not

Preprovisioned on page 275
Configuring Mastership Using a Preprovisioned Configuration File

To configure mastership using a preprovisioned configuration:
274
1.
Note the serial numbers of the switches that you want to function in the master
role and backup role.
2.
Power on only the switch (SWA-0) that you want to function in the master role.
Configuring Mastership of the Virtual Chassis (CLI Procedure)
3.
Edit the configuration to specify the preprovisioned configuration mode:

user@SWA-0# set preprovisioned
4.
List the serial numbers of the member switches that you want to function as
master and backup, specifying their role as routing-engine:
[edit]
user@SWA-0# set virtual-chassis member 0 serial-number abc123 role
routing-engine
user@SWA-0# set virtual-chassis member 2 serial-number def456 role
routing-engine
NOTE: You cannot directly modify the mastership priority value when you are using
a preprovisioned configuration. The mastership priority values are generated
automatically and controlled by the role that is assigned to the member switch in
the configuration file. The two members assigned the routing-engine role are assigned
the same mastership priority value (128). However, the member that was powered
on first has higher prioritization according to the master election algorithm. See
page 184. Only two members can be specified with the routing-engine role.
5.
List the serial numbers of any other member switches that you want to include
in the Virtual Chassis configuration. You may also specify their role as linecard,
if desired.
Configuring Mastership Using a Configuration File That Is Not Preprovisioned

To configure mastership of the Virtual Chassis through a configuration that is not
preprovisioned:
1.
Power on only the switch that you want to function in the master role (SWA-0).
2.
Configure the highest possible mastership priority value (255) for the member
that you want to function in the master role:
3.
Configure the same mastership priority value (continue to edit the Virtual Chassis
configuration on the master) for the member that you want to be the backup
(SWA-1):
Configuring Mastership Using a Configuration File That Is Not Preprovisioned
275
NOTE: We recommend that the master and backup have the same mastership
priority value to prevent the master and backup status from switching back and forth
between master and backup members in failover conditions.
Related Topics
4.
Use the default mastership priority value (128) for the remaining member
switches or configure the mastership priority to a value that is lower than the
value specified for members functioning in the master and backup roles.

File on page 239

on page 208
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 288
Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure)

You can interconnect EX4200 switches that are beyond the reach of the Virtual
Chassis cables as members of a Virtual Chassis configuration by installing the optional
SFP uplink module, SFP+ uplink module, or XFP uplink module and connecting the
uplink ports. You can also use the SFP network ports on an EX4200-24F for this
purpose. To use the uplink ports or SFP network ports for interconnecting member
switches, you must explicitly set the uplink ports as VCPs.
NOTE: When an uplink port is set as a VCP interface, it cannot be used for any other
purpose. You can set one port as a VCP interface and configure the other port in
trunk mode as an uplink to a distribution switch.
Before you set an uplink port as a VCP:
1.
Install the uplink module in the member switches that you want to interconnect.
2.
Power on and connect to the switch that you plan to designate as the master of
the Virtual Chassis configuration.
NOTE: Do not power on the other switches at this point.
3.
276
Run EZSetup on the switch that you are configuring to be the master. Follow the
prompts to specify the hostname and other identification, time zone, and network
Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure)
properties. See Connecting and Configuring an EX Series Switch (CLI Procedure)

on page 79 or Connecting and Configuring an EX Series Switch (J-Web
Procedure) on page 81 for details. The properties that you specify for the master
apply to the entire Virtual Chassis configuration, including all the member
switches that you later interconnect with the master.
4.
If you want to configure and manage the Virtual Chassis configuration remotely,
specify the VME global management interface. You can configure the VME global
management interface when you are setting up the master or you can do it after
completing the other configuration steps for the Virtual Chassis. See Configuring
the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure) on page 279.
5.
Configure mastership of the Virtual Chassis using either the nonprovisioned or

preprovisioned configuration. See Configuring Mastership of the Virtual Chassis
(CLI Procedure) on page 274 for details.
made for a Virtual Chassis configuration. This ensures that the configuration changes
are saved in both Routing Engines.
To interconnect a Virtual Chassis configuration across longer distances, such as wiring
closets, you need to:
Prepare the existing Virtual Chassis configuration for interconnecting with a

potential member switch that is beyond the reach of a Virtual Chassis cable by
setting at least one uplink VCP on an existing member of Virtual Chassis
configuration.
Prepare the potential member switch for interconnecting with the existing Virtual
Chassis configuration by setting at least one uplink VCP on the standalone switch.
NOTE: We recommend that you set two uplink VCPs within each wiring closet for
redundancy.
1. Setting an Uplink VCP Between Two Member Switches on page 277
2. Setting an Uplink VCP on a Standalone Switch on page 278
Setting an Uplink VCP Between Two Member Switches

Set an uplink port of a Virtual Chassis member as a VCP by executing the operational
command request virtual-chassis vc-port.
Setting an Uplink VCP Between Two Member Switches
277
NOTE: If you use the SFP+ uplink module, you must configure all member switches
to support either 1-gigabit SFP transceivers or 10-gigabit SFP+ transceivers. See
Setting the Mode on an SFP+ Uplink Module (CLI Procedure) on page 392.
To set the uplink ports for the local member switch (for example, member 0) and
for a different member switch (for example, member 1) to function as VCPs:
1.
Set one uplink port of member 0 as a VCP interface. You do not need to specify
the member member-id option, because the command applies by default on the
member where it is executed.
2.
Set one uplink port of member 1 as a VCP interface.

user@SWA-0>request virtual-chassis vc-port set pic-slot 1 port 0 member
1
This example includes the member member-id option, because it is executed on

a different member switch than the local member switch.
Setting an Uplink VCP on a Standalone Switch

To set an uplink VCP on a standalone switch, first power on the switch. You must
set an uplink port on the standalone switch as a VCP prior to physically
interconnecting the switch with the existing Virtual Chassis configuration. Otherwise,
the master cannot detect that the switch is a member of the Virtual Chassis
configuration.
To set one uplink VCP on the potential member (SWA-2), which is currently operating
as a standalone switch:
1.
Power on the standalone switch.
2.
Set one uplink port as a VCP interface. You do not need to specify the member
member-id option, because the command applies by default on the member
where it is executed.
NOTE: If you do specify the member member-id option, use member ID 0. Because
the switch is not yet interconnected with the other members of the Virtual Chassis
configuration, its current member ID is 0. Its member ID will change when it is
interconnected with the Virtual Chassis configuration. It does not impact the
functioning of the uplink VCP that its VCP interface is set with 0 as the member ID.
The VCP interface has significance only on the local switch.
278
Setting an Uplink VCP on a Standalone Switch
3.
After you have set the uplink VCP on the standalone switch, physically
interconnect its uplink port with the VCP uplink ports of the members in the
existing Virtual Chassis configuration.
4.
The new member switch reboots and joins the now expanded Virtual Chassis
configuration with a different member ID.
NOTE: The setting for the new member switch's uplink VCP remains intact and is
not affected by the change of member ID.
Related Topics
5.
If you have additional members in the second wiring closet, set a redundant VCP
uplink on another member switch by issuing the request virtual-chassis vc-port
command.

Closets on page 219

File on page 239
Configuring the Virtual Management Ethernet Interface for Global Management of

a Virtual Chassis (CLI Procedure)
If you want to configure and manage a Virtual Chassis remotely through SSH or
Telnet, configure the virtual management Ethernet (VME) interface on the master of
the Virtual Chassis. You can configure and manage all members of the Virtual Chassis
through this single global interface.
1.
Power on the switch that you want to function as the master.
2.
Check the front-panel LCD to confirm that the switch has powered on correctly.
3.
Run the EZ Setup program on the switch, specifying the identification parameters.
To configure the VME:

[edit]
Related Topics

Understanding Global Management of a Virtual Chassis Configuration on page

185
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure)
279
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address,
as Master of Virtual Chassis (CLI Procedure)
When a backup member takes control of a Virtual Chassis configuration because of
a reset or other temporary failure, the backup uses the MAC address of the old master.
This helps to ensure a smooth transition of mastership with no disruption to network
connectivity.
The MAC persistence timer is used in situations when the master is no longer a
member of the Virtual Chassis configuration, because it has been physically
disconnected or removed. If the old master does not rejoin the Virtual Chassis
configuration before the timer elapses, the new master starts using its own MAC
address.
The default timer value is 10 minutes. There are no minimum or maximum limits.
Before you begin configuring the timer, ensure that you have at least two member
switches in the Virtual Chassis configuration. To configure or modify the MAC
persistence timer, use the following command:
user@switch# set mac-persistence-timer 30
This command modifies the MAC persistence timer value to specify a timer value of
30 minutes rather than the default timer value of 10 minutes.
Related Topics
280
Procedure)
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI
Configuring Fast Failover in a Virtual Chassis Configuration

that automatically reroutes traffic and reduces traffic loss in the event of a link or
switch failure. If a link between two members fails, traffic flow between those
While fast failover is enabled by default on dedicated Virtual Chassis ports (VCPs),
you must manually enable fast failover on uplink module ports that have been
configured as VCPs.
Before you begin configuring fast failover, ensure that the dedicated VCPs or uplink
module VCPs are connected in a ring topology.
To reenable the fast failover feature on all dedicated VCPs in a ring:

[edit]
user@switch# delete virtual-chassis fast-failover vcp disable
To configure the fast failover feature on all XFP uplink module VCPs in a ring:
[edit]
user@switch# set virtual-chassis fast-failover xe
To configure the fast failover feature on all SFP uplink module VCPs in a ring:
[edit]
user@switch# set virtual-chassis fast-failover ge
Related Topics

276
Configuring Fast Failover in a Virtual Chassis Configuration
281
Disabling Fast Failover in a Virtual Chassis Configuration

While fast failover is enabled by default on dedicated Virtual Chassis ports (VCPs),
you can manually disable fast failover on dedicated VCPs using the set virtual-chassis
fast-failover vcp disable command.
To disable the fast failover feature on all dedicated VCPs in a ring:

[edit]
user@switch# set virtual-chassis fast-failover vcp disable
To disable the fast failover feature on all XFP uplink module VCPs in a ring:
[edit]
user@switch# delete virtual-chassis fast-failover xe
To disable the fast failover feature on all SFP uplink module VCPs in a ring:
[edit]
user@switch# delete virtual-chassis fast-failover ge
Related Topics
282

276
Disabling Fast Failover in a Virtual Chassis Configuration

Merge (CLI Procedure)
when the Virtual Chassis configuration is formed. You can also explicitly assign a
Virtual Chassis ID using the set virtual-chassis id command. When two Virtual Chassis
configurations attempt to merge, the Virtual Chassis ID that you assigned takes
precedence over the automatically assigned Virtual Chassis IDs and becomes the ID
for the newly merged Virtual Chassis configuration.
To configure the Virtual Chassis ID:
[edit]
user@switch# set virtual-chassis id id
Related Topics

Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure)

The split and merge feature is enabled by default on EX4200 switches in a Virtual
Chassis configuration. You can disable the split and merge feature using the set
virtual-chassis no-split-detection command. If you disable the split and merge feature
and the Virtual Chassis configuration splits, both parts of the split Virtual Chassis
configuration remain active.
In a preprovisioned Virtual Chassis configuration, if both of the Routing Engines end
up in the same Virtual Chassis configuration after a split, the other split Virtual Chassis
configuration remains inactive. If the Routing Engines end up in different parts of
the split Virtual Chassis configuration and the rest of the member switches are
configured as having linecard roles, then a backup Routing Engine might not be
selected for either part.
To disable the split and merge feature in a Virtual Chassis configuration:
[edit]
user@switch# set virtual-chassis no-split-detection
Related Topics

Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure)
283
284
Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure)
Chapter 17
Verifying That the Virtual Chassis Ports Are Operational on page 289
Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Command Forwarding Usage with a Virtual Chassis Configuration

Some CLI commands can be run either on all members or on a specific member of
a Virtual Chassis configuration. This functionality is referred to as command
forwarding.
For example, to collect information about your system prior to contacting Juniper
Networks Technical Assistance Center (JTAC), use the command request support
information all-members to gather data for all the member switches. If you want to
gather this data only for a particular member switch, use the command request
support information member member-id .
Table 45 on page 286 provides a list of commands that can be run either on all
members of the Virtual Chassis configuration or on a specific member switch.
285
Table 45: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration
Commands Available for
Command Forwarding
Purpose
all-members
member-member-id
request support information
Use this command when you

contact JTAC about your
component problem. This
command is the equivalent
of using the following CLI
commands:
Displays information for all

members of the Virtual
Displays information for the

specified member switch.
show version
show chassis firmware
show chassis hardware
show chassis
environment
show interfaces extensive
(for each configured

interface)
show configuration
(excluding any
SECRET-DATA)
show system
virtual-memory
request system partition

hard-disk
Set up the hard disk for

partitioning. After this
command is issued, the hard
disk is partitioned the next
time the system is rebooted.
When the hard disk is
partitioned, the contents of
/altroot and /altconfig are
saved and restored. All other
data on the hard disk is at
risk of being lost.
Partitions the hard disk on all

Partitions the hard disk on

the specified member switch.
request system reboot
Reboot JUNOS for EX Series

software after a software
upgrade and occasionally to
recover from an error
condition.
Reboots all members of the

Reboots the specified

member switch.
request system snapshot
Back up the currently running

and active file system.
Backs up the file systems on

all members of the Virtual
Backs up the file system on

the specified member switch.
request system storage

cleanup
Free storage space on the

switch by rotating log files
and proposing a list of files
for deletion. User input is
required for file deletion.
Runs cleanup on all members

of the Virtual Chassis
configuration.
Runs cleanup on the

show log user
Display users who are

viewing the system log.


286
Chapter 17: Verifying Virtual Chassis
Table 45: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Command Forwarding
Purpose
all-members
member-member-id
show system alarms
Display active system alarms.


show system audit
Display the state and

checksum values for file
systems.


show system boot-messages
Display initial messages

generated by the system
kernel upon startup. These
messages are the contents of
/var/run/dmesg.boot.


show system core-dumps
Display a core file generated

by an internal JUNOS process.


show system directory-usage
Display directory usage

information.


show system reboot
Display pending system

reboots or halts.


show system snapshot
Display information about the

backup software that is
located in the /altroot and
/altconfig file systems. To
back up software, use the
request system snapshot
command.


show system software
Display the JUNOS extensions

loaded on your switch.


show system statistics
Display systemwide
protocol-related statistics.


show system storage
Display statistics about the

amount of free disk space in
the switch's file systems.


show system uptime
Display the current time and

information about how long
the switch, the switch
software, and any existing
protocols have been running


287
Table 45: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Command Forwarding
Purpose
all-members
member-member-id
show system users
Show all users who are

currently logged in.
Shows all users who are

currently logged in to any
Shows all users who are

currently logged in to the
show system virtual-memory
Display the usage of JUNOS

kernel memory, listed first by
size of allocation and then by
type of usage. Use show
system virtual-memory for
troubleshooting with JTAC.


Table 46 on page 288 shows a list of commands that are relevant only to the master.
Do not use the options all-members or member-member-id with these commands.
Table 46: Commands Relevant Only to the Master
Commands Relevant Only to the
Master
Purpose
set date
Set the data and time.
show system buffers
Display information about the buffer pool that the Routing Engine uses for local traffic.
Local traffic is the routing and management traffic that is exchanged between the Routing
Engine and the Packet Forwarding Engine within the switch, as well as the routing and
management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on).
show system connections
Display information about the active IP sockets on the Routing Engine. Use this command
to verify which servers are active on a system and which connections are currently in
progress.
show system processes
Display information about software processes that are running on the switch and that
have controlling terminals.
Related Topics
JUNOS System Basics and Services Command Reference at

http://www.juniper.net/techpubs/software/junos/junos90
Chassis Member
Purpose
288
You can designate the role that a member performs within a Virtual Chassis
configuration or you can allow the role to be assigned by default. You can designate
the member ID that is assigned to a specific switch by creating a permanent
association between the switchs serial number and a member ID, using a
preprovisioned configuration. Or you can let the member ID be assigned by the
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member
master, based on the sequence in which the member switch is powered on and on
which member IDs are currently available.
The role and member ID of the member switch are displayed on the front-panel LCD.
Each member switch can be cabled to one or two other member switches, using
either the dedicated Virtual Chassis ports (VCPs) on the rear panel, an uplink module
port that has been configured as a VCP, or an SFP network port on an EX4200-24F
switch that has been configured as a VCP. The members that are cabled together are
considered neighbor members.
Action
To display the role and member ID assignments using the CLI, use the show
virtual-chassis status command:
user@SWA-0>
Meaning
Mastership
Priority
Role
Neighbor List
ID, Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1 vcp-0
2 vcp-1
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
0 vcp-0
1 vcp-1
This output verifies that three EX4200 switches have been interconnected as a Virtual
Chassis configuration using their dedicated VCPs . The display shows which of the
VCPs is connected to which neighbor. The first port (vcp-0) of member 0 is connected
to member 1 and the second port of member 0 (vcp-1) is connected to member 2.
The FPC slots for EX Series switches are the same as the member IDs.
The Mastership Priority values indicate that the master and backup members have
been explicitly configured, because they are not using the default value (128).
Related Topics

on page 208

Verifying That the Virtual Chassis Ports Are Operational

Purpose
Use the show virtual-chassis vc-port command to display the status of Virtual Chassis
ports (VCPs).
289
NOTE: The interfaces for VCPs are not displayed when you issue the show interfaces
ge- command.
Action
Display the VCPs:

fpc0:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
1
vcp-0
vcp-1
Dedicated
2
Up
32000
1
vcp-1
1/0
Configured
3
Up
1000
2
vcp-255/1/0
1/1
Configured
3
Up
1000
2
vcp-255/1/1
1/2
Configured
4
Up
1000
4
vcp-255/0/20
1/3
Configured
4
Up
1000
4
vcp-255/0/21
fpc1:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
0
vcp-0
vcp-1
Dedicated
2
Up
32000
0
vcp-1
1/0
Configured
3
Up
10000
3
vcp-255/1/0
1/1
Configured
3
Up
10000
3
vcp-255/1/1
fpc2:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
3
vcp-0
vcp-1
Dedicated
2
Up
32000
3
vcp-1
1/0
Configured
3
Up
1000
0
vcp-255/1/0
1/1
Configured
3
Up
1000
0
vcp-255/1/1
1/2
1
Down
1000
1/3
1
Down
1000
fpc3:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
2
vcp-0
vcp-1
Dedicated
2
Up
32000
2
vcp-1
1/0
Configured
3
Up
10000
1
vcp-255/1/0
1/1
Configured
3
Up
10000
1
vcp-255/1/1
fpc4:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
290
vcp-0
vcp-1
0/20
0/21
Meaning
Related Topics
Dedicated
Dedicated
Configured
Configured
1
2
3
3
Down
Down
Up
Up
32000
32000
1000
1000
0
0
vcp-255/1/2
vcp-255/1/3
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplink module interfaces
that have been set as uplink VCPs are displayed as 1/0, 1/1, 1/2, and 1/3. The
EX4200-24F network interfaces that have been set as VCPs are displayed as 0/20
and 0/21. The neighbor interface names of uplink and network VCPs are of the form
vcp-255/pic/portfor example, vcp-255/1/0. In that name, vcp-255 indicates that
the interface is a VCP, 1 is the uplink PIC number, and 0 is the port number. The fpc
number is the same as the member ID. The trunk ID is a positive number ID assigned
to the LAG formed by the Virtual Chassis. If no LAG is formed, the value is 1.

Closets on page 219
Monitoring Virtual Chassis Configuration Status and Statistics

Purpose
Action
Use the monitoring functionality to view the following information about Virtual
Chassis members and ports:
Member details and how members are connected with each other.
Traffic statistics for Virtual Chassis ports of the selected members.
Details of the Virtual Chassis port packet counters.
To view Virtual Chassis monitoring details in the J-Web interface, select Monitor >
Virtual Chassis.
To view member details for all members in the CLI, enter the following command:
To view Virtual Chassis port traffic statistics for a specific member in the CLI, enter
the following command:
show virtual-chassis vc-port statistics member member-id
To view the path a packet takes when going from a source interface to a destination
interface in a Virtual Chassis configuration using the CLI, enter the following
command:
show virtual-chassis vc-path
Meaning
In the J-Web interface the top half of the screen displays details of the Virtual Chassis
configuration, such as:
Monitoring Virtual Chassis Configuration Status and Statistics
291
Member
Role
Interface
Type
Speed
Neighboring Member ID
Link Status
Error count
Click the Stop button to stop fetching values from the switch, and click the Start
button to start plotting data again from the point where it was stopped.
To view a graph of the statistics for the selected Virtual Chassis port of the member,
click Show Graph.
Click Clear Statistics to clear the monitoring statistics for the selected member switch.
You can specify the interval at which the member details and statistics must be
refreshed.
The bottom half of the screen displays a chart of the Virtual Chassis statistics, and
the port packet counters.
For details about the output from CLI commands, see show virtual-chassis status
and show virtual-chassis vc-port statistics.
Related Topics


You can replace a member switch of a Virtual Chassis configuration without disrupting
network service for the other members. You can retain the existing configuration of
the member switch and apply it to a new member switch, or you can free up the
member ID and make it available for assignment to a new member switch.
292
To replace a member switch, use the procedure that matches what you need to
accomplish:
Remove, Repair, and Reinstall the Same Switch on page 293
Remove a Member Switch, Replace with a Different Switch, and Reapply the
Old Configuration on page 293
Remove a Member Switch and Make Its Member ID Available for Reassignment
to a Different Switch on page 294
Remove, Repair, and Reinstall the Same Switch

If you need to repair a member switch, you can remove it from the Virtual Chassis
configuration without disrupting network service for the other members. The master
stores the configuration of the member ID so that it can be reapplied when the
member switch (with the same base MAC address) is reconnected.
1.
Power off and disconnect the member switch to be repaired.
2.
Repair, as necessary.
3.
Reconnect and power on the member switch.
Remove a Member Switch, Replace with a Different Switch, and Reapply the Old
Configuration
If you are unable to repair a member switch, you can replace it with a different
member switch and retain the old configuration. The master stores the configuration
of the member that was removed. When you connect a different member switch,
the master assigns a new member ID. But the old configuration is still stored under
the previous member ID of the previous member switch.
NOTE: If you have used a preprovisioned configuration, use the replace command
to change the serial number in the Virtual Chassis configuration file. Substitute the
serial number of the replacement member switch (on the back of the switch) for the
serial number of the member switch that was removed.
1.
Power off and disconnect the member switch to be replaced.
2.
If the replacement member switch has been previously configured, revert that
switchs configuration to the factory defaults. See Reverting to the Default
Factory Configuration for the EX Series Switch on page 154.
3.
Connect and power on the replacement member switch.
4.
Note the member ID displayed on the front panel.
5.
Issue the request virtual-chassis renumber command from the Virtual Chassis
master to change the member switchs current member ID to the member ID
that belonged to the member switch that was removed from the Virtual Chassis
configuration).
Remove, Repair, and Reinstall the Same Switch
293
Remove a Member Switch and Make Its Member ID Available for Reassignment to a
Different Switch
When you remove a member switch from the Virtual Chassis configuration, the
master keeps its member ID on reserve. To make that member switchs member ID
available for reassignment, issue the request virtual-chassis recycle command from
the Virtual Chassis master.
NOTE: When you add or delete members in a Virtual Chassis configuration, internal
routing changes might cause temporary traffic loss for a few seconds.
Related Topics
294

on page 270
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
Chapter 18
Troubleshooting Virtual Chassis
Troubleshooting a Virtual Chassis Configuration on page 295
Troubleshooting a Virtual Chassis Configuration
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment on page 295
Load Factory Default Does Not Commit on a Multimember Virtual

Chassis on page 295
Member ID Persists When a Member Switch Is Disconnected From a Virtual

Chassis on page 296
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment
Problem
You disconnected an EX4200 from the Virtual Chassis configuration, but the
disconnected switchs member ID is still displayed in the status output. You cannot
reassign that member ID to another switch.
Solution
When you disconnect a member of a Virtual Chassis configuration, the master retains
the member ID and member configuration in its configuration database. The show
virtual-chassis status command continues to display the member ID of the
disconnected member with a status of NotPrsnt.
If want to permanently disconnect the member switch, you can free up the member
ID by using the request virtual-chassis recycle command. This will also clear the status
of that member.
Load Factory Default Does Not Commit on a Multimember Virtual Chassis

Problem
The load factory default command fails on a multimember Virtual Chassis

configuration.
Solution
The load factory default command is not supported on a multimember Virtual Chassis
configuration. For information on how to revert to factory default settings, see
154.
Troubleshooting a Virtual Chassis Configuration
295
Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis

Problem
Gigabit Ethernet interfaces retain their previous slot numbers when a member switch
is disconnected from the Virtual Chassis configuration.
Solution
If a switch had been previously connected as a member of a Virtual Chassis

configuration, it retains the member ID that it was assigned as a member of that
configuration even after it is disconnected and operating as a standalone switch. The
interfaces that were configured while the switch was a member of the Virtual Chassis
configuration retain the old member ID as the first digit of the interface name.
For example, if the switch was previously member 1, its interfaces are named
ge-1/0/0 and so on.
To change the switchs member ID, so that its member ID is 0, and to rename the
switchs interfaces accordingly, enter the following operational-mode commands:
1.
To change the member ID to 0:

user@switch> request virtual-chassis renumber member-id 1 new-member-id 0
2.
To rename the interfaces to match the new member ID:

user@switch# replace pattern ge-1/ with ge-0/
Related Topics
296
For more information about the replace command, see JUNOS Software CLI User
Guide at http://www.juniper.net/techpubs/software/junos/junos90/
Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis
Chapter 19
Configuration Statements for Virtual

Chassis
[edit virtual-chassis] Configuration Statement Hierarchy on page 297

virtual-chassis {
id id;
member member-id {
no-management-vlan;
serial-number;
role;
}
no-split-detection;
preprovisioned;
traceoptions {
<match regex>;
flag flag ;
}
}
Related Topics


Closets on page 219

File on page 239
297
fast-failover
Syntax
Hierarchy Level
Release Information

Statement introduced in JUNOS Release 9.3 for EX Series switches.
Description
Enable the fast failover feature on all SFP uplink module Virtual Chassis ports (VCPs)
or all XFP uplink module VCPs or disable the fast failover feature on all dedicated
VCPs in a ring topology.
Default
Fast failover is enabled on dedicated VCPs; it is not enabled on uplink module VCPs.
Options
geEnable fast failover on all Gigabit Ethernet uplink module VCPs in the ring.
vcp disableDisable fast failover on all dedicated VCPs in the ring.
xeEnable fast failover on all 10-Gigabit Ethernet uplink module VCPs in the
ring.
Related Topics
298
fast-failover
routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Chapter 19: Configuration Statements for Virtual Chassis
id
Syntax
Hierarchy Level
Release Information
Description
Options

Related Topics
id id;

Configure the alphanumeric string that identifies a Virtual Chassis configuration.
idID of the Virtual Chassis configuration, which uses the ISO family address
formatfor example, 9622.6ac8.5345.



mac-persistence-timer
Syntax
Hierarchy Level
Release Information
Description
mac-persistence-timer minutes;

If the master is physically disconnected or removed from the Virtual Chassis
configuration, the MAC persistence timer determines how long the backup (new
master) continues to use the address of the old master. When the MAC persistence
timer expires, the backup (new master) begins to use its own MAC address.
There are no minimum or maximum timer limits.
Default
Related Topics
10 minutes
Address, as Master of Virtual Chassis (CLI Procedure) on page 280
id
299
mastership-priority
Syntax
Hierarchy Level
Release Information
Description
mastership-priority number ;
[edit virtual-chassis member member-id]

The mastership priority value is the most important factor in determining the role
of the EX4200 member switch within the Virtual Chassis configuration. Other factors
(see Understanding How the Master in a Virtual Chassis Configuration Is Elected
on page 184) also affect the election of the master.
The mastership priority value takes the highest precedence in the master election
algorithm. The member switch with highest mastership priority becomes the master
of the Virtual Chassis configuration. Toggling back and forth between master and
backup status in failover conditions is undesirable, so we recommend that you assign
the same mastership priority value to both the master and the backup. Secondary
factors in the master election algorithm determine which of these two members (that
is, the two members that are assigned the highest mastership priority value) functions
as the master of the Virtual Chassis configuration.
Default
128
Options
numberMastership priority value.
Range: 1 through 255

Related Topics
300



Closets on page 219
mastership-priority
member
Syntax
Hierarchy Level
Release Information
Description
member member-id {
no-management-vlan;
serial-number;
role;
}

Configure an EX4200 switch as a member of a Virtual Chassis configuration.
Default
When an EX4200 is powered on as a standalone switch (not interconnected through

its Virtual Chassis ports with other EX4200 switches), its default member ID is 0.
Options
member-idIdentifies a specific member switch of a Virtual Chassis configuration.
Range: 0 through 9
The remaining statements are explained separately.
Related Topics


File on page 239
member
301
no-management-vlan
Syntax
Hierarchy Level
Release Information
Description
no-management-vlan;
[edit virtual-chassis member member-id]

Remove the specified members out-of-band management port from the Virtual
Management Ethernet (VME) global management VLAN of the Virtual Chassis
configuration.
For a member that is functioning in a linecard role, you can use this configuration
to reserve the member's management Ethernet port for local troubleshooting:
virtual-chassis {
member 2 {
no-management-vlan;
}
}
You cannot configure the IP address for a local management Ethernet port using the
CLI or the J-Web interface. To do this, you need to use the shell ifconfig command.
Related Topics
302




185
no-management-vlan
no-split-detection
Syntax
Hierarchy Level
Release Information
Description

Related Topics
no-split-detection;

Disable the split and merge feature in a Virtual Chassis configuration. The split and
merge feature is enabled by default on EX4200 switches.

Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) on

page 283

no-split-detection
303
preprovisioned
Syntax
Hierarchy Level
Release Information
Description
preprovisioned;

Enable the preprovisioned configuration mode for a Virtual Chassis configuration.
When preprovisioned configuration mode is enabled, you cannot use the CLI or the
J-Web interface to change the mastership priority or member ID of member switches.

Related Topics
304
preprovisioned


File on page 239

on page 270

on page 292
role
Syntax
Hierarchy Level
Release Information
Description
Options
role (routing-engine | line-card);

[edit virtual-chassis preprovisioned member member-id]

In a preprovisioned Virtual Chassis configuration, specify the role to be performed
by each EX4200 member switch. Associate the role permanently with the members
serial number.
routing-engineEnables the member eligible to function as a master or backup of
the Virtual Chassis configuration. The master manages all the members of the
Virtual Chassis configuration and runs the chassis management processes and
control protocols. The backup synchronizes with the master in terms of protocol
states, forwarding tables, and so forth, so that it is prepared to preserve routing
information and maintain network connectivity without disruption in case the
master is unavailable.
Specify two and only two members as routing-engine. The software determines
which of the two members assigned the routing-engine role functions as master,
based on the master election algorithm. See Understanding How the Master in
a Virtual Chassis Configuration Is Elected on page 184.
line-cardEnables the member to be eligible to function only in the linecard role.
Any member of the Virtual Chassis configuration other than the master or backup
functions in the linecard role and runs only a subset of JUNOS Software for EX
Series switches. A member functioning in the linecard role does not run the
chassis control protocols. A Virtual Chassis configuration must have at least three
members in order to include a member that functions in the linecard role.
When you use a preprovisioned configuration, you cannot modify the mastership
priority or member ID of member switches through the user interfaces. The
mastership priority value is generated by the software, based on the assigned
role:
A member configured as routing-engine is assigned the mastership priority 129.
A member configured as line-card is assigned the mastership priority 0.
A member listed in the preprovisioned configuration without an explicitly

specified role is assigned the mastership priority 128.
The configured role specifications are permanent. If both routing-engine members

should fail, a line-card member cannot take over as master of the Virtual Chassis
configuration. You must delete the preprovisioned configuration in order to
change the specified roles.
It is possible to explicitly configure two members as routing-engine and to configure
additional switches as members of the preprovisioned Virtual Chassis by
specifying only their serial numbers. If you do not explicitly configure the role
role
305
of the additional members, they function in a linecard role by default. In that

case, a member that is functioning in a linecard role can take over mastership
if the members functioning as master and backup (routing-engine role) both fail.
Related Topics


File on page 239

on page 270

on page 292
serial-number
Syntax
Hierarchy Level
Release Information
serial-number serial-number;
[edit virtual-chassis preprovisioned member member-id]
Description
In a preprovisioned Virtual Chassis configuration, specify the serial number of each

EX4200 member switch to be included in the Virtual Chassis configuration. If you
do not include the serial number within the Virtual Chassis configuration, the switch
cannot be recognized as a member of a preprovisioned configuration.
Options
serial-numberThe switchs permanent serial number, which is located on the back
of the switch.
Related Topics
306
serial-number


File on page 239

on page 270

on page 292
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}

Define tracing operations for the Virtual Chassis configuration.
Default
Tracing operations are disabled.
Options
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,

and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GBnumber of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the sizeoption.
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
allAll tracing operations.
csnTrace Virtual Chassis complete sequence number (CSN) packets.
errorTrace Virtual Chassis errored packets.
helloTrace Virtual Chassis hello packets.
krtTrace Virtual Chassis KRT events.
lspTrace Virtual Chassis link-state packets.
lsp-generationTrace Virtual Chassis link-state packet generation.
meTrace Virtual Chassis ME events.
packetsTrace Virtual Chassis packets.
parseTrace reading of the configuration.
routeTrace Virtual Chassis routing information.
spfTrace Virtual Chassis SPF events.
stateTrace Virtual Chassis state transitions.
traceoptions
307
taskTrace Virtual Chassis task operations.
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the filesoption.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Related Topics
308
traceoptions

Verifying That the Virtual Chassis Ports Are Operational on page 289
Troubleshooting a Virtual Chassis Configuration on page 295
virtual-chassis
Syntax
Hierarchy Level
Release Information
Description
virtual-chassis {
preprovisioned;
member member-id {
no-management-vlan;
serial-number;
role;
}
traceoptions {
regex>;
flag flag ;
}
}
[edit]

Configure Virtual Chassis information on an EX4200 switch.
The statements are explained separately.
Default

Related Topics
A standalone EX4200 switch is a Virtual Chassis by default. It has a default member

ID of 0, a default mastership priority of 128, and a default role as master.

virtual-chassis
309
310
virtual-chassis
Chapter 20
Operational Mode Commands for Virtual

Chassis
311
clear virtual-chassis vc-port statistics

Syntax
Release Information
Description
Options

<all-members>
<interface-name>
<local>
<member member-id>

The options all-members and local were added in JUNOS Release 9.3 for EX Series
switches.
Clearreset to zero (0)the traffic statistics counters on Virtual Chassis ports (VCPs).
noneClear traffic statistics for the VCPs of all members of a Virtual Chassis
configuration.
all-members(Optional) Clear traffic statistics for the VCPs of all members of a Virtual
interface-name(Optional) Name of the VCP interface to be cleared of its traffic
statistics. Specify either vcp-0 or vcp-1.
local(Optional) Clear VCP traffic statistics from only the switch on which this
command is entered.
member member-id(Optional) Clear VCP traffic statistics from only the specified
member of a Virtual Chassis configuration.

Related Topics

clear virtual-chassis
vc-port statistics
clear
show virtual-chassis vc-port statistics
show virtual-chassis vc-port
clear virtual-chassis vc-port statistics on page 312

clear virtual-chassis vc-port statistics member 3 on page 312
user@SWA-0> clear virtual-chassis vc-port statistics
fpc0:
-------------------------------------------------------------------------Statistics cleared
{master:0}
clear virtual-chassis
vc-port statistics
member 3
312
user@SWA-0> clear virtual-chassis vc-port statistics member 3

Cleared statistics on member 3
Chapter 20: Operational Mode Commands for Virtual Chassis
request session member

Syntax
Release Information
Description
Options
request session member member-id

Starts a session with the specified member of a Virtual Chassis configuration.
member-idSelect the specific member of the Virtual Chassis configuration with
which you want to establish a session.

Related Topics
maintenance
member
request session member
313
request virtual-chassis recycle

Syntax
Release Information
Description
request virtual-chassis recycle member-id member-id

Make a previously used member ID available for reassignment.
When you remove a member switch from the Virtual Chassis configuration, the
master reserves that member ID. To make the member ID available for reassignment,
you must use this command.
NOTE: You can run this command from the Virtual Chassis master only.
Options
member-id member-idSpecify the member id that you want to make available for
reassignment to a different member switch.

Related Topics

request virtual-chassis
recycle member-id 3
314
system-control
request virtual-chassis renumber

on page 292
request virtual-chassis recycle member-id 3 on page 314

user@host> request virtual-chassis recycle member-id 3

Syntax
Release Information
Description
request virtual-chassis renumber member-id old-member-id new-member-id new-member-id

Renumber a member of a Virtual Chassis configuration.
NOTE: You can run this command from the Virtual Chassis master only.
Options
member-id old-member-idSpecify the ID of the member that you wish to renumber.

new-member-id new-member-idSpecify an unassigned member ID (from 0 through
9).
Related Topics

renumber member-id 5
new-member-id 4
system-control

on page 292
request virtual-chassis renumber member-id 5 new-member-id 4 on page 315

user@SWA-0> request virtual-chassis renumber member-id 5 new-member-id 4
315

Syntax
Release Information
request virtual-chassis vc-port set | delete pic-slot pic-slot port port-number

<member member-id>
Description
Enable or disable an uplink module port (on an SFP, SFP+, or XFP uplink module)
or an SFP network port on an EX4200-24F switch as a Virtual Chassis port (VCP).
Options
pic-slot pic-slotNumber of the PIC slot for the uplink module port or SFP network
port on an EX4200-24F switch. Specify 1 to represent the uplink module PIC on
the EX Series switch. Specify 0 to represent the SFP network port on an
EX4200-24F switch.
port port-numberNumber of the uplink module port (0 or 1) or SFP network port
on an EX4200-24F switch (0 to 23) that is to be enabled or disabled as a VCP.
member member-id(Optional) Enable or disable the specified VCP on the specified
member of the Virtual Chassis configuration.


Related Topics
If you omit member member-id, this command defaults to enabling or disabling the
uplink VCP or SFP network port configured as a VCP on the switch where the
command is issued.
system-control
request virtual-chassis vc-port (dedicated port)
request virtual-chassis vc-port set pic-slot 1 port 0 on page 316

request virtual-chassis vc-port set pic-slot 1 port 1 member 3 on page 316
request virtual-chassis vc-port delete pic-slot 1 port 1 member 3 on page 316
vc-port set pic-slot 1
port 0
user@host>request virtual-chassis vc-port set pic-slot 1 port 0
vc-port set pic-slot 1
port 1 member 3
user@host>request virtual-chassis vc-port set pic-slot 1 port 1 member 3
vc-port delete pic-slot 1
port 1 member 3
316
To check the results of this command, use the show virtual-chassis vc-port command.
user@host>request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

Syntax
Release Information
Description
Options
request virtual-chassis vc-port set interface vcp-interface-name

<member member-id> <disable>

Disable or enable a Virtual Chassis port (VCP) for a dedicated VCP on the rear panel
of the Virtual Chassis.
interface vcp-interface-name Name of the interface to enable or disable. Specify
either vcp-0 or vcp-1.
member member-id (Optional) Enable or disable the specified VCP on the specified
member of the Virtual Chassis configuration.

disable (Optional) Disable the specified VCP. If you omit this keyword, the command
enables the dedicated VCP.


Related Topics

vc-port set interface
vcp-0 disable
vc-port set interface
vcp-0 member 3 disable
If you omit member member-id, this command defaults to disabling or enabling the
dedicated VCP on the switch where the command is issued. The dedicated VCPs are
enabled in the factory default configuration.
system-control
request virtual-chassis vc-port set interface vcp-0 disable on page 317

request virtual-chassis vc-port set interface vcp-0 member 3 disable on page 317
user@host> request virtual-chassis vc-port set interface vcp-0 disable
user@host> request virtual-chassis vc-port set interface vcp-0 member 3 disable
317
show system uptime

Syntax
Release Information
Description
Options
show system uptime (all-members | member member-id)
Options introduced in JUNOS Release 9.0 for EX Series switches.

Display the current time and information about how long the Virtual Chassis, Virtual
Chassis software, and routing protocols have been running.
all-membersDisplay the current time and information about how long the Virtual
Chassis, Virtual Chassis software, and routing protocols have been running for
all the member switches of the Virtual Chassis configuration.
member member-idDisplay the current time and information about how long the
Virtual Chassis, Virtual Chassis software, and routing protocols have been running
for the specific member of the Virtual Chassis configuration.
Related Topics

Output Fields
view
virtual-chassis
For more information about show system uptime, see the JUNOS Software System
Basics Services and Command Reference at
show system uptime member 0 on page 319

Table 47 on page 318 lists the output fields for the show system uptime command.
Table 47: show system uptime Output Fields

Field Name
Field Description
Current time
Current system time in UTC.
System booted
Date and time when the switch was last booted and how
long it has been running.
Protocols started
Date and time when the routing protocols were last started
and how long they have been running.
Last configured
Date and time when a configuration was last committed.

Also shows the name of the user who issued the last
commit command.
Time and up
Current time, in the local time zone, and how long the
switch has been operational.
Users
Number of users logged into the switch.
318
show system uptime
Level of Output
Table 47: show system uptime Output Fields (continued)

Field Name
Field Description
Load averages
Load averages for the last 1 minute, 5 minutes, and 15

minutes.
show system uptime

member 0
Level of Output
user@host>show system uptime member 0

fpc0:
-----------------------------------------------------------------------Current time: 2008-02-06 05:24:20 UTC
System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago)
Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago)
Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root
5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01
show system uptime
319
show virtual-chassis active topology

Syntax
Release Information
show virtual-chassis active-topology

<(all-members | member member-id)>
Description
Display the active topology of the Virtual Chassis configuration with reachability
information.
Options
noneDisplay the active topology of the member switch where the command is
issued.
all-membersDisplay the active topology of all members of the Virtual Chassis
configuration.
member member-idDisplay the active topology of a specified member of the Virtual
Related Topics

Output Fields
view
show virtual-chassis active-topology on page 320

Table 48 on page 320 lists the output fields for the show virtual-chassis active-topology
command. Output fields are listed in the approximate order in which they appear.
Table 48: show virtual-chassis active-topology Output Fields

Field Name
Field Description
Destination ID
Specifies the member ID of the destination.
Next-hop
Specifies the member ID and VCP of the next-hop to which packets for the destination ID are
forwarded.
show virtual-chassis
active-topology
320
user@SWA-0> show virtual-chassis active-topology

1
1(vcp-1)
1(vcp-1)
1(vcp-1)
1(vcp-1)
8(vcp-0)
8(vcp-0)
8(vcp-0)
8(vcp-0)
1(vcp-1)
321
show virtual-chassis fast-failover

Syntax
Release Information
Description
Related Topics

Output Fields

Display information about the fast failover feature in a Virtual Chassis configuration.
view

show virtual-chassis fast-failover on page 322

Table 49 on page 322 lists the output fields for the show virtual-chassis fast-failover
Table 49: show virtual-chassis fast-failover Output Fields

Field Name
Field Description
Fast failover on
dedicated VCP ports
Indicates fast failover status on dedicated VCPs.
Fast failover on XE
uplink VCP ports
Indicates fast failover status on XFP uplink module VCPs.
Fast failover on GE
uplink VCP ports
Indicates fast failover status on SFP uplink module VCPs.
fast-failover
322
user@switch1>
Fast failover
Fast failover
Fast failover

on dedicated VCP ports: Enabled
on XE uplink VCP ports: Disabled
on GE uplink VCP ports: Enabled

Syntax
Release Information
Description
Options

Display information about all the members of the Virtual Chassis configuration.
noneDisplay all information for all member switches of the Virtual Chassis
configuration.
Related Topics
Output Fields
view
Table 49 on page 322 lists the output fields for the show virtual-chassis command.
Table 50: show virtual-chassis Output Fields

Field Name
Field Description
Virtual Chassis ID
Assigned ID that applies to the entire Virtual Chassis configuration.
Member ID
Assigned member ID and FPC slot (from 0 through 9).
Status
For a nonprovisioned configuration:
Prsnt for a member that is currently connected to the Virtual Chassis
configuration
NotPrsnt for a member ID that has been assigned but is not currently
connected
For a preprovisioned configuration:
Prsnt for a member that is specified in the preprovisioned configuration
file and is currently connected to the Virtual Chassis configuration.
Unprvsnd for a member that is interconnected with the Virtual Chassis
configuration, but is not specified in the preprovisioned configuration file.

Serial No
Serial number of the member switch.
Model
Model number of the member switch.
Mastership Priority
Mastership priority value of the member switch.
Role
Role of the member switch.
Neighbor List
Member ID of the neighbor member to which this members VCP interface is

connected.
323
status

Virtual Chassis ID: 0019.e250.47a0
Member ID
0 (FPC 0)
Status
Prsnt
Mastership
Serial No
Model
priority
AK0207360276 ex4200-24t
249
Role
Master*
1 (FPC 1)
Prsnt
AK0207360281 ex4200-24t
248
Backup
2 (FPC 2)
Prsnt
AJ0207391130 ex4200-48p
247
Linecard
3 (FPC 3)
Prsnt
AK0207360280 ex4200-24t
246
Linecard
4 (FPC 4)
Prsnt
AJ0207391113 ex4200-48p
245
Linecard
5 (FPC 5)
Prsnt
BP0207452204 ex4200-48t
244
Linecard
6 (FPC 6)
Prsnt
BP0207452222 ex4200-48t
243
Linecard
7 (FPC 7)
Prsnt
BR0207432028 ex4200-24f
242
Linecard
8 (FPC 8)
Prsnt
BR0207431996 ex4200-24f
241
Linecard
Member ID for next new member: 9 (FPC 9)
324
Neighbor List
ID Interface
8 vcp-0
1 vcp-1
0 vcp-0
2 vcp-1
1 vcp-0
3 vcp-1
2 vcp-0
4 vcp-1
3 vcp-0
5 vcp-1
4 vcp-0
6 vcp-1
5 vcp-0
7 vcp-1
6 vcp-0
8 vcp-1
7 vcp-0
0 vcp-1

Syntax
Release Information
Description
Options
show virtual-chassis vc-path source-interface interface-name destination-interface

interface-name

Show the path a packet takes when going from a source interface to a destination
interface in a Virtual Chassis configuration.
source-interface interface-name Name of the interface from which the packet
originates
destination-interface interface-name Name of the interface to which the packet is
delivered
Related Topics

Output Fields
view
show virtual-chassis vc-path source-interface destination-interface on page 325

Table 51 on page 325 lists the output fields for the show virtual-chassis vc-path
Table 51: show virtual-chassis vc-path Output Fields

Field Name
Field Description
Hop
The number of hops between the source and destination interfaces.
Member
The Virtual Chassis ID of the member switch that contains the Packet
Forwarding Engine for each intermediate hop.
PFE-Device
The number of the Packet Forwarding Engine in each Virtual Chassis member
through which a packet passes. Each Packet Forwarding Engine is the next
hop of the preceding Packet Forwarding Engine.
Interface
The name of the interface through which the Packet Forwarding Engines are
connected. The interface for the first hop is always the source interface and
the interface for the last hop is always the destination interface. For intermediate
hops, the Interface field denotes the Packet Forwarding Engines through which
the packet passes on its way to the next hop.
vc-path source-interface
destination-interface
user@switch> show virtual-chassis vc-path source-interface ge-0/0/0

destination-interface ge-1/0/1
vc-path from ge-0/0/0 to ge-1/0/1
Hop
Member
PFE-Device
Interface
0
0
1
ge-0/0/0
1
0
0
internal-1/24
325
2
3
326
1
1
3
4
vcp-0
ge-1/0/1

Syntax
Release Information
Description
Options

<(all-members | member member-id)>

Display the status of the Virtual Chassis ports (VCPs), including both the dedicated
VCPs and the uplink module ports configured as VCPs.
noneDisplay the operational status of all the VCPs of the member switch where
the command is issued.

all-members(Optional) Display the operational status of all the VCPs on all members
of the Virtual Chassis configuration.

member member-id(Optional) Display the operational status of all the VCPs for the
specified member of the Virtual Chassis configuration.

Related Topics

Output Fields
view
show virtual-chassis vc-port on page 328

show virtual-chassis vc-port all-members on page 328
Table 52 on page 327 lists the output fields for the show virtual-chassis vc-port
Table 52: show virtual-chassis vc-port Output Fields

Field Name
Field Description
fpcnumber
The FPC number is the same as the member ID.
Interface or PIC/Port
VCP interface name. Unlike network interface names, a VCP interface name does not include a slot
number (member ID).
Type
The dedicated VCPs are vcp-0 and vcp-1.
The uplink module ports set as VCPs are named 1/0 and 1/1, representing the PIC number
and the port number.
Type of VCP:
Dedicated (on the rear panel)
Configured (uplink module port configured as a VCP)
Auto-Configured (uplink module port autoconfigured as a VCP)
See Setting an Uplink Module Port as a Virtual Chassis Port (CLI Procedure) on page 276 for
information about configuring VCPs.
327
Table 52: show virtual-chassis vc-port Output Fields (continued)

Field Name
Field Description
Trunk ID
A positive-number ID assigned to a LAG formed by the Virtual Chassis. The trunk ID value is 1 if
no trunk is formed. A LAG between uplink VCPs requires that the link speed be the same on connected
interfaces and that at least two VCPs on one member be connected to at least two VCPs on the other
member.
Dedicated VCP LAGs are assigned trunk IDs 1 and 2. Trunk IDs for LAGs formed with uplink VCPs
therefore have values of 3 or greater.
The trunk ID value changes if the link-adjacency state between LAG members changes; trunk
membership is then allocated or deallocated.
Status
Interface status: down or up.
Speed (mbps)
Speed of the interface in megabits per second.
Neighbor ID/Interface
The Virtual Chassis member ID and interface of a VCP on a member switch that is connected to the
interface or PIC/Port field in the same row as this interface.
vc-port
user@switch> show virtual-chassis vc-port

fpc0:
-------------------------------------------------------------------------
Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
1
vcp-1
vcp-1
Dedicated
2
Up
32000
0
vcp-0
1/0
Auto-Configured
3
Up
1000
2
vcp-255/1/0
1/0
Auto-Configured
3
Up
1000
2
vcp-255/1/1
vc-port all-members
user@switch> show virtual-chassis vc-port all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
1
vcp-1
vcp-1
Dedicated
2
Up
32000
0
vcp-0
1/0
Auto-Configured
3
Up
1000
2
vcp-255/1/0
1/1
Auto-Configured
3
Up
1000
2
vcp-255/1/1
fpc1:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
0
vcp-1
vcp-1
Dedicated
2
Up
32000
0
vcp-0
1/0
Auto-Configured
1
Up
1000
3
vcp-255/1/0
fpc2:
--------------------------------------------------------------------------
328
Interface
or
PIC / Port
vcp-0
vcp-1
1/0
1/1
Type
Dedicated
Dedicated
Auto-Configured
Auto-Configured
Trunk
ID
1
2
3
3
Status
Speed
(mbps)
Neighbor
ID Interface
Up
Up
Up
Up
32000
32000
1000
1000
3
3
0
0
vcp-1
vcp-0
vcp-255/1/0
vcp-255/1/1
fpc3:
-------------------------------------------------------------------------Interface
Type
Trunk Status
Speed
Neighbor
or
ID
(mbps)
ID Interface
PIC / Port
vcp-0
Dedicated
1
Up
32000
2
vcp-0
vcp-1
Dedicated
2
Up
32000
2
vcp-1
1/0
Auto-Configured
1
Up
1000
1
vcp-255/1/0
329

Syntax
Release Information
Description
Options

<all-members>
<brief | detail | extensive >
<interface-name>
<local>
<member member-id>

The options all-members, brief, detail, extensive, and local were added in JUNOS
Release 9.3 for EX Series switches.
Display the traffic statistics collected on Virtual Chassis ports (VCPs).
noneDisplay traffic statistics for the VCPs of all members of a Virtual Chassis
configuration.
brief | detail | extensive(Optional) Display the specified level of output. Using the
brief option is equivalent to entering the command with no options (the default).
The detail and extensive options provide identical displays.
all-members(Optional) Display traffic statistics for the VCPs of all members of a

interface-name(Optional) Name of the VCP interface for which to display traffic
statistics. Specify either vcp-0 or vcp-1 or an internal port in the VCP
subsystemfor example, internal-0/24.
local(Optional) Display VCP traffic statistics for only the switch on which this
command is entered.
member member-id(Optional) Display VCP traffic statistics for only the specified
member of a Virtual Chassis configuration.

Related Topics
Output Fields
330
view
show
show
show
show
virtual-chassis
virtual-chassis
virtual-chassis
virtual-chassis
vc-port
vc-port
vc-port
vc-port
statistics
statistics
statistics
statistics
on page 333
brief on page 333
extensive on page 333
member 0 on page 334
Table 53 on page 331 lists the output fields for the show virtual-chassis vc-port statistics
Table 53: show virtual-chassis vc-port statistics Output Fields

Field Name
Field Description
Level of Output
fpcnumber
ID of the Virtual Chassis member. The FPC number is the same as the member
ID.
All levels
Interface
VCP interface name. Unlike network interface names, a VCP interface does
not include a slot number (member ID).
brief
The dedicated VCPs are vcp-0 and vcp-1.
Ports internal to the VCP subsystem have names corresponding to the

PIC and port number. For example, 0/24 indicates internal onboard
port 24, and 1/26 indicates internal uplink module port 26.
Input Octets/Packets
Total number of octets and packets received on the VCP interface.
brief member none
Output
Octets/Packets
Total number of octets and packets transmitted on the VCP interface.
brief member none
master: number
Member ID of the Virtual Chassis master.
All levels
Port
VCP for which RX (Receive) statistics,TX (Transmit) statistics, or both are reported
by the VCP subsystem during a sampling intervalsince the statistics counter
was last cleared.
detail extensive
Total octets
Total number of octets received and transmitted on the VCP interface.
detail extensive
Total packets
Total number of packets received and transmitted on the VCP interface.
detail extensive
Unicast packets
Number of unicast packets received and transmitted on the VCP interface.
detail extensive
Broadcast packets
Number of broadcast packets received and transmitted on the VCP interface.
detail extensive
Multicast packets
Number of multicast packets received and transmitted on the VCP interface.
detail extensive
MAC control frames
Number of media access control (MAC) control frames received and transmitted
on the VCP interface.
detail extensive
CRC alignment errors
Number of packets received on the VCP interface that had a lengthexcluding

framing bits, but including frame check sequence (FCS) octetsof between 64
and 1518 octets, inclusive, and had one of the following errors:
detail extensive
Invalid FCS with an integral number of octets (FCS error)
Invalid FCS with a nonintegral number of octets (alignment error)
Oversize packets
Number of packets received on the VCP interface that were longer than
1518 octets (excluding framing bits, but including FCS octets) but were
otherwise well formed.
detail extensive
Undersize packets
Number of packets received on the VCP interface that were shorter than
64 octets (excluding framing bits but including FCS octets) and were otherwise
well formed..
detail extensive
331
Table 53: show virtual-chassis vc-port statistics Output Fields (continued)

Field Name
Field Description
Level of Output
Jabber packets
Number of packets received on the VCP interface that were longer than
1518 octetsexcluding framing bits, but including FCS octetsand that had
either an FCS error or an alignment error.
detail extensive
NOTE: This definition of jabber is different from the definition in IEEE-802.3

section 8.2.1.5 (10Base5) and section 10.3.1.4 (10Base2). These documents
define jabber as the condition in which any packet exceeds 20 ms. The allowed
range to detect jabber is between 20 ms and 150 ms.
Fragments received
Number of packets received on the VCP interface that were shorter than
64 octets (excluding framing bits, but including FCS octets), and had either an
FCS error or an alignment error.
detail extensive
Fragment frames normally increment because both runts (which are normal
occurrences caused by collisions) and noise hits are counted.
Ifout errors
Number of outbound packets received on the VCP interface that could not be
transmitted because of errors.
detail extensive
Packet drop events
Number of outbound packets received on the VCP interface that were dropped,
rather than being encapsulated and sent out of the switch as fragments. The
packet drop counter is incremented if a temporary shortage of packet memory
causes packet fragmentation to fail.
detail extensive
64 octets frames
Number of packets received on the VCP interface (including invalid packets)

that were 64 octets in length (excluding framing bits, but including FCS octets).
detail extensive
65127 octets
frames

that were between 65 and 127 octets in length, inclusive (excluding framing
bits, but including FCS octets).
detail extensive
128255 octets
frames

detail extensive
256511 octets
frames

detail extensive
5121023 octets
frames

detail extensive
10241518 octets
frames

detail extensive
Rate packets per

second
Number of packets per second received and transmitted on the VCP interface.
detail extensive
Rate bytes per

second
Number of bytes per second received and transmitted on the VCP interface.
detail extensive
332
vc-port statistics
user@SWA-0> show virtual-chassis vc-port statistics

fpc0:
-------------------------------------------------------------------------Interface
Output Octets/Packets
internal-0/24
0
/ 0
0
/ 0
internal-0/25
0
/ 0
0
/ 0
internal-1/26
0
/ 0
0
/ 0
internal-1/27
0
/ 0
0
/ 0
vcp-0
0
/ 0
0
/ 0
vcp-1
0
/ 0
0
/ 0
internal-0/26
0
/ 0
0
/ 0
internal-0/27
0
/ 0
0
/ 0
internal-1/24
0
/ 0
0
/ 0
internal-1/25
0
/ 0
0
/ 0
{master:0}
vc-port statistics brief
user@SWA-0> show virtual-chassis vc-port statistics brief

fpc0:
-------------------------------------------------------------------------Interface
internal-0/24
0
/ 0
0
/ 0
internal-0/25
0
/ 0
0
/ 0
internal-1/26
0
/ 0
0
/ 0
internal-1/27
0
/ 0
0
/ 0
vcp-0
0
/ 0
0
/ 0
vcp-1
0
/ 0
0
/ 0
internal-0/26
0
/ 0
0
/ 0
internal-0/27
0
/ 0
0
/ 0
internal-1/24
0
/ 0
0
/ 0
internal-1/25
0
/ 0
0
/ 0
{master:0}
vc-port statistics
extensive
user@SWA-0> show virtual-chassis vc-port statistics extensive

fpc0:
--------------------------------------------------------------------------
Port: internal-0/24
Total octets:
Total packets:
Unicast packets:
Broadcast packets:
Multicast packets:
MAC control frames:
CRC alignment errors:
Oversize packets:
Undersize packets:
Jabber packets:
Fragments received:
Ifout errors:
Packet drop events:
64
octets frames:
65-127
octets frames:
128-255
octets frames:
256-511
octets frames:
512-1023 octets frames:
Rate packets per second:
RX
TX
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
333
Rate bytes per second:
Port: vcp-0
Total octets:
Total packets:
Unicast packets:
Broadcast packets:
Multicast packets:
MAC control frames:
Oversize packets:
Undersize packets:
Jabber packets:
Fragments received:
Ifout errors:
Packet drop events:
64
octets frames:
65-127
octets frames:
128-255
octets frames:
256-511
octets frames:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Port: vcp-1
Total octets:
Total packets:
Unicast packets:
Broadcast packets:
Multicast packets:
MAC control frames:
Oversize packets:
Undersize packets:
Jabber packets:
Fragments received:
Ifout errors:
Packet drop events:
64
octets frames:
65-127
octets frames:
128-255
octets frames:
256-511
octets frames:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
0
0
0
0
...
{master:0}
vc-port statistics
member 0
334
user@SWA-0>show virtual-chassis vc-port statistics member 0

fpc0:
-------------------------------------------------------------------------Interface
internal-0/24
0
/ 0
0
/ 0
internal-0/25
0
/ 0
0
/ 0
internal-1/26
0
/ 0
0
/ 0
internal-1/27
vcp-0
vcp-1
internal-0/26
internal-0/27
internal-1/24
internal-1/25
0
0
0
0
0
0
0
/
/
/
/
/
/
/
0
0
0
0
0
0
0
0
0
0
0
0
0
0
/
/
/
/
/
/
/
0
0
0
0
0
0
0
{master:0}
335
336
Part 7
Interfaces
Understanding Interfaces on page 339
Examples of Configuring Interfaces on page 351
Configuring Interfaces on page 377
Verifying Interfaces on page 395
Troubleshooting Interfaces on page 403
Configuration Statements for Interfaces on page 413
Operational Mode Commands for Interfaces on page 441
Interfaces
337
338
Interfaces
Chapter 21
Understanding Interface Naming Conventions on EX Series Switches on page 341
Understanding Layer 3 Subinterfaces on page 345
Understanding Unicast RPF for EX Series Switches on page 346
EX Series Switches Interfaces Overview

Juniper Networks EX Series Ethernet Switches have two types of interfaces: network
interfaces and special interfaces. This topic provides brief information on these
interfaces. For additional information, see the JUNOS Software Network Interfaces
Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos96/index.html.
Network Interfaces on page 339
Special Interfaces on page 340
Network Interfaces
Network interfaces connect to the network and carry network traffic. EX Series
switches support the following types of network interfaces:
LAN access interfacesUse these EX Series ports to connect a personal computer,

laptop, file server, or printer to the network. When you power on an EX Series
switch and use the factory-default configuration, the software automatically
configures interfaces in access mode for each of the network ports. The default
configuration also enables autonegotiation for both speed and link mode.
Trunk interfacesEX Series access switches can be connected to a distribution

switch or customer edge (CE) router. To use a port for this type of connection,
you must explicitly configure the port interface for trunk mode. The interfaces
from the distribution switch to the access switches must also be configured for
trunk mode.
Power over Ethernet (PoE) interfacesJuniper Networks EX3200 and EX4200

Ethernet Switches provide PoE network ports with the various switch models
providing either 8, 24, or 48 PoE ports. These ports can be used to connect voice
over IP (VoIP) telephones, wireless access points, video cameras, and point-of-sale
devices to safely receive power from the same access ports that are used to
339
connect personal computers to the network. PoE interfaces are enabled by default
in the factory configuration.
Aggregated Ethernet interfacesAll EX Series switches allow you to group

Ethernet interfaces at the physical layer to form a single link layer interface, also
known as a link aggregation group (LAG) or bundle. These aggregated Ethernet
interfaces help to balance traffic and increase the uplink bandwidth.
Special Interfaces
Special interfaces include:
340
Virtual Chassis port (VCP) interfacesEach Juniper Networks EX4200 Ethernet

Switch has two dedicated Virtual Chassis ports (VCPs) on its rear panel. These
ports can be used to interconnect two to ten EX4200 Ethernet switches as a
Virtual Chassis, which functions as a single network entity. See Understanding
the High-Speed Interconnection of the Virtual Chassis Members on page 188.
When you power on EX Series switches that are interconnected in this manner,
the software automatically configures the VCP interfaces for the dedicated ports
that have been interconnected. These VCP interfaces are not configurable or
modifiable. You can also interconnect EX4200 Switches across distances of up
to 25 miles (40 km) by using the SFP, SFP+, or XFP uplink module ports. To do
so, you must explicitly set the uplink module ports on the members you want
to connect as VCPs. See Setting an Uplink Module Port as a Virtual Chassis Port
(CLI Procedure) on page 276. When you set the uplink module ports as uplink
VCPs and connect member switches through those uplink VCPs, a LAG is
automatically formed when the link speed is the same on connected VCPs and
at least two VCPs on one member are connected to at least two VCPs on another
member. See Understanding Virtual Chassis Configurations and Link
Aggregation on page 188.
Management interfaceThe Juniper Networks JUNOS Software for EX Series

switches automatically creates the switch's management Ethernet interface,
me0. The management Ethernet interface provides an out-of-band method for
connecting to the switch. To use me0 as a management port, you must configure
its logical port, me0.0, with a valid IP address. You can connect to the
management interface over the network using utilities such as SSH or Telnet.
SNMP can use the management interface to gather statistics from the switch.
(The management interface me0 is analogous to the fxp0 interfaces on routers
running JUNOS Software.)
Virtual management Ethernet (VME) interface EX4200 switches have a VME

interface. This is a logical interface that is used for Virtual Chassis configurations
and allows you to manage all the members of the Virtual Chassis through the
master. For more information on the VME interface, see Understanding Global
Management of a Virtual Chassis Configuration on page 185.
Console portEach EX Series switch has a serial port, labeled CON or CONSOLE,
for connecting tty-type terminals to the switch using standard PC-type tty cables.
The console port does not have a physical address or IP address associated with
it. However, it is an interface in the sense that it provides access to the switch.
On EX4200 switches that are configured as a Virtual Chassis, you can access the
master and configure all members of the Virtual Chassis through any member's
console port. For more information on the console port in a Virtual Chassis, see
Chapter 21: Understanding Interfaces

185.
Related Topics
LoopbackAll EX Series switches have this software-only virtual interface that

is always up. The loopback interface provides a stable and consistent interface
and IP address on the switch.
Understanding Interface Naming Conventions on EX Series Switches on page

341
Understanding Interface Naming Conventions on EX Series Switches

Juniper Networks EX Series Ethernet Switches use a naming convention for defining
the interfaces that is similar to that of other platforms running under Juniper Networks
JUNOS Software. This topic provides brief information on the naming conventions
used for interfaces on EX Series switches. For additional information, see the JUNOS
Software Network Interfaces Configuration Guide at
Physical Part of an Interface Name on page 341
Logical Part of an Interface Name on page 342
Wildcard Characters in Interface Names on page 343
Physical Part of an Interface Name

Interfaces in JUNOS Software are specified as follows:
type-fpc / pic / port
EX Series switches apply this convention as follows:
typeEX Series interfaces use the following media types:
geGigabit Ethernet interface
xe10 Gigabit Ethernet interface
feFast Ethernet interface
fpcEX Series interfaces use the following convention for the FPC portion of
interface names:
341
On Juniper Networks EX3200 Ethernet Switches and standalone Juniper

Networks EX4200 Ethernet Switches (not configured in a Virtual Chassis),
the FPC number portion is always 0.
On EX4200 switches configured in a Virtual Chassis, the FPC number

indicates the member number of the switch within the Virtual Chassis, from
0 through 9.
On Juniper Networks EX8200 Ethernet Switches, the FPC number indicates

the slot number of the line card that contains the physical interface.
picEX Series interfaces use the following convention for the PIC (Physical
Interface Card) number portion of interface names:
On EX3200 and EX4200 switches, the PIC number is 0 for all built-in
interfaces (interfaces that are not on an uplink module).
On uplink modules in EX3200 and EX4200 switches, the PIC number is 1.
On EX8200 switches, the PIC number is always 0.
portEX Series interfaces use the following convention for port numbers:
On EX3200 and EX4200 switches, built-in network ports are numbered from
left to right. On models that have two rows of ports, the ports on the top
row start with 0 followed by the remaining even-numbered ports, and the
ports on the bottom row start with 1 followed by the remaining
odd-numbered ports.
On uplink modules in EX3200 and EX4200 switches, ports are labeled from
left to right starting with 0. Uplink modules provide either 2 or 4 ports.
On EX8200 switches, the network ports are numbered from left to right on
each line card. On line cards that have two rows of ports, the ports on the
top row start with 0 followed by the remaining even-numbered ports, and
the ports on the bottom row start with 1 followed by the remaining
odd-numbered ports.
Logical Part of an Interface Name

The logical unit part of the interface name corresponds to the logical unit number,
which can be a number from 0 through 16384. In the virtual part of the name, a
period (.) separates the port and logical unit numbers: type-fpc/pic/port.logical. For
example, if you issue the show ethernet-switching interfaces command on a system
with a default VLAN, the resulting display shows the logical interfaces associated
with the VLAN:
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/10.0
State
down
down
down
VLAN members
remote-analyzer
default
default
Blocking
unblocked
unblocked
unblocked
When you configure aggregated Ethernet interfaces, you configure a logical interface
that is called a bundle or a LAG. Each LAG can include up to eight Ethernet interfaces.
342
Wildcard Characters in Interface Names

In the show interfaces and clear interfaces commands, you can use wildcard characters
in the interface-name option to specify groups of interface names without having to
type each name individually. You must enclose all wildcard characters except the
asterisk (*) in quotation marks (" ").
Related Topics
Slot Numbering for an EX8208 Switch
Understanding Aggregated Ethernet Interfaces and LACP

IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form a
single link layer interface, also known as a link aggregation group (LAG) or bundle.
Aggregating multiple links between physical interfaces creates a single logical
point-to-point trunk link or a LAG. The LAG balances traffic across the member links
within an aggregated Ethernet bundle and effectively increases the uplink bandwidth.
Another advantage of link aggregation is increased availability, because the LAG is
composed of multiple member links. If one member link fails, the LAG continues to
carry traffic over the remaining links.
Link Aggregation Group (LAG) on page 343
Link Aggregation Control Protocol (LACP) on page 344
Link Aggregation Group (LAG)

You configure a LAG by specifying the link number as a physical device and then
associating a set of ports with the link. All the ports must have the same speed and
be in full-duplex mode. Juniper Networks JUNOS Software for EX Series Ethernet
Switches assigns a unique ID and port priority to each port. The ID and priority are
not configurable. When configuring LAGs, consider the following guidelines:
Up to 8 Ethernet interfaces can be added to a LAG.
Up to 64 LAGs are supported in a Virtual Chassis configuration.
Up to 127 LAGs are supported on Juniper Networks EX8200 Ethernet Switches.
The LAG must be configured on both sides of the link.
The interfaces on either side of the link must be set to the same speed.
You can configure and apply firewall filters on a LAG.
In a Virtual Chassis you can configure settings and connections so that LAGs are
formed over uplink Virtual Chassis ports (VCPs). See Understanding Virtual Chassis
Configurations and Link Aggregation on page 188.
343
NOTE: The interfaces that are included within a bundle or LAG are sometimes referred
to as member interfaces. Do not confuse this term with member switches, which refers
to Juniper Networks EX4200 Ethernet Switches that are interconnected as a Virtual
Chassis. It is possible to create a LAG that is composed of member interfaces that
are located in different member switches of a Virtual Chassis.
A LAG creates a single logical point-to-point connection. A typical deployment for a
LAG would be to aggregate trunk links between an access switch and a distribution
switch or customer edge (CE) router.
If you connect more than one uplink VCP of two member switches and those VCPs
are running at the same link speed, a single, logical trunk link forms automatically.
See Understanding Virtual Chassis Configurations and Link Aggregation on page
188.
Link Aggregation Control Protocol (LACP)

LACP, a subcomponent of IEEE 802.3ad, provides additional functionality for LAGs.
When LACP is configured, it detects misconfigurations on the local end or the remote
end of the link.
About enabling LACP:
When LACP is not enabled, a local LAG might attempt to transmit packets to a
remote single interface, which causes the communication to fail.
When LACP is enabled, a local LAG cannot transmit packets unless a LAG with
LACP is also configured on the remote end of the link.
By default, Ethernet links do not exchange protocol data units (PDUs), which contain
information about the state of the link. You can configure Ethernet links to actively
transmit PDUs, or you can configure the links to passively transmit them, sending
out LACP PDUs only when they receive them from another link. The transmitting
link is known as the actor and the receiving link is known as the partner.
Related Topics


on page 234
JUNOS Network Interfaces Configuration Guide at

344
Understanding Layer 3 Subinterfaces

A Layer 3 subinterface is a logical division of a physical interface that operates at the
network level and therefore can receive and forward 802.1Q VLAN tags. You can
use Layer 3 subinterfaces to route traffic among multiple VLANs along a single trunk
line that connects a Juniper Networks EX Series Ethernet Switch to a Layer 2 switch.
Only one physical connection is required between the switches. This topology is
often called a router on a stick or a one-armed router when the Layer 3 device
is a router.
To create Layer 3 subinterfaces on an EX Series switch, you enable VLAN tagging,
partition the physical interface into logical partitions, and bind the VLAN ID to the
logical interface.
You can partition one physical interface into up to 4094 different subinterfaces, one
for each VLAN. We recommend that you use the VLAN ID as the subinterface number
when you configure the subinterface. Juniper Networks JUNOS Software reserves
VLAN IDs 0 and 4095.
VLAN tagging places the VLAN ID in the frame header, allowing each physical interface
to handle multiple VLANs. When you configure multiple VLANs on an interface, you
must also enable tagging on that interface. The JUNOS Software on EX Series switches
supports a subset of the 802.1Q standard for receiving and forwarding routed or
bridged Ethernet frames with single VLAN tags and running Virtual Router Redundancy
Protocol (VRRP) over 802.1Q-tagged interfaces. Double-tagging is not supported.
Related Topics
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 363

Understanding Layer 3 Subinterfaces
345
Understanding Unicast RPF for EX Series Switches

Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is
enabled. It also helps ensure that traffic arriving on ingress interfaces comes from a
network source that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving
interface is the best return path to the packet's unicast source address. This is known
as strict mode unicast RPF. The switch applies unicast RPF globally to all interfaces.
Therefore, you should enable unicast RPF only on switches with all symmetrically
routed interfaces. (A symmetrically routed interface is an interface that uses the same
route in both directions between the source and the destination.)
This topic covers:
Unicast RPF for EX Series Switches Overview on page 346
Unicast RPF Implementation for EX Series Switches on page 347
When to Enable Unicast RPF on page 348
When Not to Enable Unicast RPF on page 349
ECMP Traffic Handling with Unicast RPF Enabled on page 350
Unicast RPF for EX Series Switches Overview

Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets
that might be spoofing an address. By default, unicast RPF is disabled on the switch
interfaces.
Strict mode unicast RPF is especially useful on untrusted interfaces. An untrusted
interface is an interface where untrusted users or processes can place packets on
the network segment.
The switch supports only the active paths method of determining the best return
path back to a unicast source address. The active paths method looks up the best
reverse path entry in the forwarding table. It does not consider alternate routes
specified using routing-protocol-specific methods when determining the best return
path.
If the forwarding table lists the receiving interface as the interface to use to forward
the packet back to its unicast source, it is the best return path interface. Strict mode
unicast RPF recognizes only one best return path to a unicast source address.
Use strict mode unicast RPF only on switches with all symmetrically routed interfaces.
(For information about symmetrically routed interfaces, see When to Enable Unicast
RPF on page 348.)
For more information about strict unicast RPF, see RFC 3704, Ingress Filtering for
Multihomed Networks at http://www.ietf.org/rfc/rfc3704.txt.
346
Unicast RPF Implementation for EX Series Switches
Global Unicast RPF Implementation on page 347
Unicast RPF Packet Filtering on page 347
Bootstrap Protocol (BOOTP) and DHCP Requests on page 347
Default Route Handling on page 347
Global Unicast RPF Implementation

The switch implements unicast RPF on a global basis. Unicast RPF is globally disabled
by default. You cannot enable unicast RPF on a per-interface basis.
When you enable unicast RPF on any interface, it is automatically enabled on

all switch interfaces, including link aggregation groups (LAGs) and routed VLAN
interfaces (RVIs).
When you disable unicast RPF on the interface (or interfaces) on which you
enabled unicast RPF, it is automatically disabled on all switch interfaces.
NOTE: You must explicitly disable unicast RPF on every interface on which it was
explicitly enabled or unicast RPF remains enabled on all switch interfaces.
Unicast RPF Packet Filtering

When you enable unicast RPF on the switch, the switch handles traffic in the following
manner:
If the switch receives a packet on the interface that is the best return path to the
unicast source address of that packet, the switch forwards the packet.
If the best return path from the switch to the packet's unicast source address is
not the receiving interface, the switch discards the packet.
If the switch receives a packet that has a source IP address that does not have
a routing entry in the forwarding table, the switch discards the packet.
Bootstrap Protocol (BOOTP) and DHCP Requests

Bootstrap protocol and DHCP request packets are sent with a broadcast MAC address
and therefore the switch does not perform unicast RPF checks on them. The switch
forwards all BOOTP packets and DHCP request packets without performing unicast
RPF checks.
Default Route Handling

If the best return path to the source is the default route (0.0.0.0) and the default route
points to reject, the switch discards all unicast RPF packets. If the default route
347
points to a valid network interface, the switch performs a normal unicast RPF check
on the packets.
When to Enable Unicast RPF

Enable unicast RPF when you want to ensure that traffic arriving on a network
interface comes from a source that resides on a network that that interface can reach.
You can enable unicast RPF on untrusted interfaces to filter spoofed packets. For
example, a common application for unicast RPF is to help defend an enterprise
network from DoS/DDoS attacks coming from the Internet.
Enable unicast RPF only on symmetrically routed interfaces. A symmetrically routed
interface uses the same route in both directions between the source and the
destination, as shown in Figure 24 on page 348. Symmetrical routing means that if
an interface receives a packet, the switch uses the same interface to send a reply to
the packet source (the receiving interface matches the forwarding-table entry for the
best return path to the source).
Figure 24: Symmetrically Routed Interfaces
Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces

receive a packet and reply to its source) results in packets from legitimate sources
being filtered (discarded) because the best return path is not the same interface that
received the packet.
The following switch interfaces are most likely to be symmetrically routed and thus
are candidates for unicast RPF enabling:
The service provider edge to a customer
The customer edge to a service provider
A single access point out of the network (usually on the network perimeter)
A terminal network that has only one link
NOTE: Because unicast RPF is enabled globally on the switch, ensure that all interfaces
are symmetrically routed before you enable unicast RPF. Enabling unicast RPF on
asymmetrically routed interfaces results in packets from legitimate sources being
filtered.
348
TIP: Enabling unicast RPF as close as possible to the traffic source stops spoofed
traffic before it can proliferate or reach interfaces that do not have unicast RPF
enabled.
TIP:
It is best to enable unicast RPF explicitly on either all interfaces or only one interface:
Enabling unicast RPF explicitly on only one interface makes it easier if you choose
to disable it in the future because you must explicitly disable unicast RPF on
every interface on which you explicitly enabled it. If you explicitly enable unicast
RPF on two interfaces and you disable it on only one interface, unicast RPF is
still globally enabled on the switch. The drawback to this approach is that the
switch displays unicast RPF status as enabled only on interfaces on which unicast
RPF is explicitly enabled, so even though unicast RPF is enabled on all interfaces,
its status does not display as enabled on all interfaces.
Enabling unicast RPF explicitly on all interfaces makes it easier to know if unicast
RPF is enabled on the switch because every interface shows the correct status.
(Only interfaces on which you explicitly enable unicast RPF display unicast RPF
as enabled.) The drawback to this approach is that if you want to disable unicast
RPF, you must explicitly disable it on every interface. If unicast RPF is enabled
on any interface, it is enabled on all interfaces.
When Not to Enable Unicast RPF

Typically, you will not enable unicast RPF if:
Switch interfaces are multihomed.
Switch interfaces are trusted interfaces.
BGP is carrying prefixes and some of those prefixes are not advertised or are
not accepted by the ISP under its policy. (The effect in this case is the same as
filtering an interface by using an incomplete access list.)
Switch interfaces face the network core. Core-facing interfaces are usually
asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets
between the source and the destination, as shown in Figure 25 on page 350. This
means that if an interface receives a packet, that interface does not match the
forwarding table entry as the best return path back to the source. If the receiving
interface is not the best return path to the source of a packet, unicast RPF causes
the switch to discard the packet even though it comes from a valid source.
349
Figure 25: Asymmetrically Routed Interfaces
NOTE: Do not enable unicast RPF if any switch interfaces are asymmetrically routed
because unicast RPF is enabled globally on all interfaces. All switch interfaces must
be symmetrically routed for you to enable unicast RPF without the risk of the switch's
discarding traffic that you want to forward.
ECMP Traffic Handling with Unicast RPF Enabled

The switch does not perform unicast RPF filtering on equal-cost multipath (ECMP)
traffic. The unicast RPF check examines only one best return path to the packet
source, but ECMP traffic employs an address block consisting of multiple paths. Using
unicast RPF to filter ECMP traffic can result in the switch's discarding packets that
you want to forward because the unicast RPF filter does not examine the entire ECMP
address block.
Related Topics
350
Example: Configuring Unicast RPF on an EX Series Switch on page 371
Configuring Unicast RPF (CLI Procedure) on page 390
Disabling Unicast RPF (CLI Procedure) on page 391
Chapter 22


Switch on page 357


Chassis Access Switch and a Virtual Chassis Distribution Switch
manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a Virtual Chassis
access switch to a Virtual Chassis distribution switch:
Requirements
Before you configure the LAGs, be sure you have:
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch
351
Configured the Virtual Chassis switches. See Example: Configuring a Virtual

Chassis with a Master and Backup in a Single Wiring Closet on page 203.

For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The Virtual Chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:
Link Aggregation Control Protocol (LACP) can optionally be configured for link
negotiation.
It doubles the speed of each uplink from 10 Gbps to 20 Gbps.
If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one Virtual Chassis access switch and
one Virtual Chassis distribution switch. The access switch is composed of two
EX4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
Virtual Chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
If the remote end is a security device LACP may not be supported since security
devices demand a deterministic configuration. In this case do not configure LACP.
All links in the LAG will be permanently up unless a link failure within the Ethernet
physical or the data link layers has been detected. The remaining uplink ports from
SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1.
LAG ae1, which is used for another VLAN.
352
Chapter 22: Examples of Configuring Interfaces
Figure 26: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch

Distribution Switch
Switch
Hostname and
VCID
Base Hardware
Uplink Module
Member ID
Trunk Port
SWA-0
Host-A Access
switch
EX4200-48P
switch
One XFP uplink

module
xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1
VCID 1
SWA-1
Host-A Access
switch
EX4200-48P
switch
One XFP uplink

module
xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1
VCID 1
353
Distribution Switch (continued)
SWD-0
Host-D
Distribution switch
EX4200 L-24F
switch
One XFP uplink

module
xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1
VCID 4
SWD-1
Host-D
Distribution switch
EX4200 L-24F
switch
One XFP uplink

module
xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1
VCID 4
Configuration
To configure two uplink LAGs from the Virtual Chassis access switch to the Virtual
Chassis distribution switch:
To quickly configure aggregated Ethernet high-speed uplinks between a Virtual Chassis

access switch and a Virtual Chassis distribution switch, copy the following commands
[edit]
set chassis aggregated-devices ethernet device-count 2
To configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access

switch and a Virtual Chassis distribution switch:
1.
Specify the number of LAGs to be created on the chassis:

[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2
2.
to be up:
[edit interfaces]
3.
to be up:
[edit interfaces]
354
Configuration
4.

[edit interfaces]
5.

[edit interfaces]
6.

[edit interfaces]
7.

[edit interfaces]
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
Results

[edit]
chassis {
ethernet {
device-count 2;
}
}
}
interfaces {
ae0 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;
Configuration
355
}
}
}
ae1 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:

Purpose
Action
Verify that LAG ae0 has been created on the switch.

Interface
ae0
ae0.0
356
Verification
Admin
up
up
Link Proto
up
up
inet
Local
10.10.10.2/24
Remote
Meaning

Purpose
Action
Verify that LAG ae1 has been created on the switch

Interface
ae1
ae1.0
Meaning
Admin Link Proto

up
down
up
down inet
Local
Remote
The output shows that the ae1 link is down.
Troubleshooting
Troubleshooting a LAG That Is Down
Problem
The show interfaces terse command shows that the LAG is down:
Solution
Related Topics
Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).
Chassis).


on page 234
Example: Connecting an Access Switch to a Distribution Switch on page 498.
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between

a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
manner are referred to as a link aggregation group (LAG) or bundle. EX Series switches
357
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page
227:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 359
Configuring LACP for the LAGs on the Virtual Chassis Distribution

Switch on page 360
Requirements
Four EX Series XFP uplink modules
Set up the Virtual Chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 203.
Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed

Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 227

This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.
358
Requirements
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
To configure LACP for the access switch LAGs, perform these tasks:
To quickly configure LACP for the access switch LAGs, copy the following commands
[edit]
To configure LACP for Host-A LAGs ae0 and ae1:

1.

[edit interfaces]
Results

[edit interfaces]
user@Host-A# show
ae0 {
lacp {
active;
periodic fast;
}
}
}
ae1 {
lacp {
active;
periodic fast;
}
}
}
359
To configure LACP for the two uplink LAGs from the Virtual Chassis access switch to
the Virtual Chassis distribution switch, perform these tasks:
To quickly configure LACP for the distribution switch LAGs, copy the following
[edit interfaces]
To configure LACP for Host D LAGs ae0 and ae1:

1.

[edit interfaces]
Results

[edit interfaces]
user@Host-D# show
ae0 {
lacp {
passive;
periodic fast;
}
}
}
ae1 {
lacp {
passive
periodic fast;
}
}
}
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying the LACP Settings on page 360
Verifying That the LACP Packets Are Being Exchanged on page 361
Verifying the LACP Settings

Purpose
360
Verify that LACP has been set up correctly.
Action
user@Host-A> show lacp interfaces xe-0/1/0
LACP state:
Role
Def
Dist
Col
Syn
Aggr
Timeout
Activity
xe-0/1/0
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
LACP protocol:
xe-0/1/0
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
The output indicates that LACP has been set up correctly and is active at one end.

Purpose
Action
Verify that LACP packets are being exchanged.

Use the show interfaces aex statistics command to display LACP information.
user@Host-A> show interfaces ae0 statistics
Device flags
: Present Running
Last flapped
: Never
Input packets : 0
Output packets: 0
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet
Flags: None
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
361
Troubleshooting
These are some tips for troubleshooting:
Troubleshooting a Nonworking LACP Link

Problem
The LACP link is not working.
Solution
Related Topics
362
Troubleshooting
Remove the LACP configuration and verify whether the static LAG is up.
Verify that LACP is configured at both ends.
Verify that LACP is not passive at both ends.
Verify whether LACP protocol data units (PDUs) are being exchanged by running
the monitor traffic-interface lag-member detail command.
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access

Switch
In a large LAN, you commonly need to partition the network into multiple VLANs.
You can configure Layer 3 subinterfaces to route traffic between the VLANs. In one
common topology, known as a router on a stick or a one-armed router, you
connect a router to an access switch with connections to multiple VLANs.
This example describes how to create Layer 3 subinterfaces on trunk interfaces of a
distribution switch and access switch so that you can route traffic among multiple
VLANs:
Configuring the Access Switch Subinterfaces on page 364
Configuring the Distribution Switch Subinterfaces on page 366
Requirements
For the distribution switch, one EX4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.
For the access switch, any Layer 2 switch that supports 802.1Q VLAN tags.
JUNOS Release 9.2 or later for EX Series switches.
Before you connect the switches, make sure you have:
Connected the two switches.
Configured the necessary VLANs. See Configuring VLANs for EX Series Switches
(CLI Procedure) on page 546 or Configuring VLANs for EX Series Switches (J-Web

In a large office with multiple buildings and VLANs, you commonly aggregate traffic
from a number of access switches into a distribution switch. This configuration
example shows a simple topology to illustrate how to connect a single Layer 2 access
switch connected to multiple VLANs to a distribution switch, enabling traffic to pass
between those VLANs.
In the example topology, the LAN is segmented into five VLANs, all associated with
interfaces on the access switch. One 1-Gigabit Ethernet port on the access switch's
uplink module connects to one 1-Gigabit Ethernet port on the distribution switch.
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch
363
Table 55 on page 364 lists the settings for the example topology.
Table 55: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution
Switch
Property
Settings
Access switch hardware
Any Layer 2 switch with multiple 1-Gigabit Ethernet ports and at least one 1-Gigabit
Ethernet uplink module
Distribution switch hardware
EX4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one
2-port 10-Gigabit Ethernet XFP uplink module (EX-UM-4SFP)
VLAN names and tag IDs
vlan1, tag 101

vlan2, tag 102
vlan3, tag 103
vlan4, tag 104
vlan5, tag 105
VLAN subnets
vlan1: 1.1.1.0/24 (addresses 1.1.1.1 through 1.1.1.254)

Port interfaces
On the access switch: ge-0/1/0

On the distribution switch: ge-0/0/0
Configuring the Access Switch Subinterfaces

To quickly create and configure subinterfaces on the access switch, copy the following
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
364
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
Configuring the Access Switch Subinterfaces
vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id
101
102
103
104
105
family
family
family
family
family
inet
inet
inet
inet
inet
address
address
address
address
address
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
To configure the subinterfaces on the access switch:

1.
On the trunk interface of the access switch, enable VLAN tagging:

user@access-switch# set vlan-tagging
2.
Bind vlan1's VLAN ID to the logical interface:

user@access-switch# set unit 0 vlan-id 101
3.
Set vlan1's subinterface IP address:

user@access-switch# set unit 0 family inet address 1.1.1.1/24
4.

5.

6.

7.

8.

9.

10.
365

11.

Results

user@access-switch> show configuration
interfaces {
ge-0/1/0 {
vlan-tagging;
unit 0 {
vlan-id 101;
family inet {
address 1.1.1.1/24;
}
}
unit 1 {
vlan-id 102;
family inet {
address 2.1.1.1/24;
}
}
unit 2 {
vlan-id 103;
family inet {
address 3.1.1.1/24;
}
}
unit 3 {
vlan-id 104;
family inet {
address 4.1.1.1/24;
}
}
unit 4 {
vlan-id 105;
family inet {
address 5.1.1.1/24;
}
}
}
Configuring the Distribution Switch Subinterfaces

366
To quickly create and configure subinterfaces on the distribution switch, copy the
following commands and paste them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id
101
102
103
104
105
family
family
family
family
family
inet
inet
inet
inet
inet
address
address
address
address
address
1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24
To configure subinterfaces on the distribution switch:

1.
On the trunk interface of the distribution switch, enable VLAN tagging:

user@distribution-switch# set vlan-tagging
2.

user@distribution-switch# set unit 0 vlan-id 101
3.

user@distribution-switch# set unit 0 family inet address 1.1.1.2/24
4.

5.

6.

7.

8.

9.
367

10.

11.

Results
368
user@distribution-switch> show configuration

interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 101;
family inet {
address 1.1.1.2/24;
}
}
unit 1 {
vlan-id 102;
family inet {
address 2.1.1.2/24;
}
}
unit 2 {
vlan-id 103;
family inet {
address 3.1.1.2/24;
}
}
unit 3 {
vlan-id 104;
family inet {
address 4.1.1.2/24;
}
}
unit 4 {
vlan-id 105;
family inet {
address 5.1.1.2/24;
}
}
}
Verification
Verifying That Subinterfaces Were Created on page 369
Verifying That Traffic Passes Between VLANs on page 369
Verifying That Subinterfaces Were Created

Purpose
Action
Verify that the subinterfaces were properly created on the access switch and
1.
Use the show interfaces command on the access switch:

user@access-switch> show interfaces ge-0/1/0 terse
Interface
ge-0/1/0
ge-0/1/0.0
ge-0/1/0.1
ge-0/1/0.2
ge-0/1/0.3
ge-0/1/0.4
ge-0/1/0.32767
2.
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
Remote
Use the show interfaces command on the distribution switch:

user@distribution-switch> show interfaces ge-0/0/0 terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.32767
Meaning
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24
Remote
Each subinterface created is displayed as a ge-chassis/slot/port.x logical interface,

where x is the unit number in the configuration. The status is listed as up, indicating
the link is working.
Verifying That Traffic Passes Between VLANs

Purpose
Verify that the distribution switch is correctly routing traffic from one VLAN to another.
Verification
369
Action
Ping from the access switch to the distribution switch on each subinterface.
1.
From the access switch, ping the address of the vlan1 subinterface on the
distribution switch:
user@access-switch> ping 1.1.1.2 count 4
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=64
time=0.333
time=0.113
time=0.112
time=0.158
ms
ms
ms
ms
--- 1.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.112/0.179/0.333/0.091 ms
2.
PING 2.1.1.2 (2.1.1.2): 56 data bytes
time=0.241
time=0.113
time=0.162
time=0.167
ms
ms
ms
ms
3.
PING 3.1.1.2 (3.1.1.2): 56 data bytes
time=0.341
time=0.162
time=0.112
time=0.208
ms
ms
ms
ms
4.
PING 4.1.1.2 (4.1.1.2): 56 data bytes
370
Verifying That Traffic Passes Between VLANs
time=0.226
time=0.166
time=0.107
time=0.221
ms
ms
ms
ms
5.
PING 5.1.1.2 (5.1.1.2): 56 data bytes
time=0.224
time=0.104
time=0.102
time=0.170
ms
ms
ms
ms
Meaning
Related Topics
If all the ping packets are transmitted and are received by the destination address,
the subinterfaces are up and working.
Example: Configuring Unicast RPF on an EX Series Switch

Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is
enabled.
This example shows how to help defend the switch ingress interfaces against
denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring
global unicast reverse-path forwarding (RPF) on all switch interfaces to filter incoming
traffic:
Requirements
Two EX3200 switches
Example: Configuring Unicast RPF on an EX Series Switch
371
Before you configure unicast RPF, make sure that all of the switch interfaces are
symmetrically routed (the switch uses the same path in both directions between the
source and the destination).

Large amounts of unauthorized traffic such as attempts to flood a network with fake
(bogus) service requests in a denial-of-service (DoS) attack can consume network
resources and deny service to legitimate users. One way to help prevent DoS and
distributed denial-of-service (DDoS) attacks is to verify that incoming traffic originates
from legitimate network sources.
Unicast RPF helps ensure that a traffic source is legitimate (authorized) by comparing
the source address of each packet that arrives on an interface to the forwarding-table
entry for its source address. If the switch uses the same interface that the packet
arrived on to reply to the packet's source, this verifies that the packet originated
from an authorized source, and the switch forwards the packet. If the switch does
not use the same interface that the packet arrived on to reply to the packet's source,
the packet might have originated from an unauthorized source, and the switch
discards the packet.
In this example, an enterprise network's system administrator wants to protect
Switch A against potential DoS and DDoS attacks from the Internet. The administrator
configures unicast RPF on interface ge-1/0/10 on Switch A. Packets arriving on
interface ge-1/0/10 on Switch A from the Switch B source also use incoming interface
ge-1/0/10 as the best return path to send packets back to the source. All other
interfaces on Switch A are also symmetrically routed, because when you enable
unicast RPF on any interface, it is thereby enabled globally on all switch interfaces.
The topology of this configuration example uses two EX3200 switches, Switch A and
Switch B, connected by symmetrically routed interfaces:
Switch A is on the edge of an enterprise network. The interface ge-1/0/10 on

Switch A connects to the interface ge-1/0/5 on Switch B.
Switch B is on the edge of the service provider network that connects the
enterprise network to the Internet.
Configuration
To enable unicast RPF globally on all Switch A interfaces:
To quickly configure unicast RPF on a switch to help prevent DoS/DDoS attacks, copy
the following command and paste it into the switch terminal window:
[edit interfaces]
set ge-1/0/10 unit 0 family inet rpf-check
372
To configure Switch A interfaces to perform unicast RPF filtering:

1.
Enable unicast RPF on interface ge-1/0/10:

[edit interfaces]
user@switch# set ge-1/0/10 unit 0 family inet rpf-check
Results
Check the results:

[edit interfaces]
user@switch# show
ge-1/0/10 {
unit 0 {
family inet {
rpf-check;
}
}
}
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That Unicast RPF Is Enabled on the Switch on page 373
Verifying That Unicast RPF Is Enabled on the Switch

Purpose
Action
Verify that unicast RPF is enabled.

Verify that unicast RPF is enabled on interface ge-1/0/10 by using the show interfaces
ge-1/0/10 extensive or show interfaces ge-1/0/10 detail command.
user@switch> show interfaces ge-1/0/10 extensive
Physical interface: ge-1/0/10, Enabled, Physical link is Down
Interface index: 139, SNMP ifIndex: 58, Generation: 140
Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab
Last flapped
: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
IPv6 transit statistics:
Input bytes :
0
Output bytes :
0
Verification
373
Input packets:
0
Output packets:
0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont
Active alarms : LINK

Active defects : LINK
MAC statistics:
Receive
Total octets
0
Total packets
0
Unicast packets
0
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
Output packet pad count
Output packet error count
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 1
Transmit
0
0
0
0
0
0
0
0
0
0
0
0
Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) (Generation 135)
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input bytes :
0
374
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Protocol inet, Generation: 144, Route table: 0
Flags: uRPF
Addresses, Flags: Is-Preferred Is-Primary
Meaning
Related Topics
0
0
0
0
bps
bps
pps
pps
The second-to-last line of the display shows the unicast RPF flag enabled. This
confirms that unicast RPF is enabled on interface ge-1/0/10 and thereby on all switch
interfaces. Only the interface on which you configured unicast RPF shows the correct
unicast RPF configuration status. If you check the unicast RPF status on an interface
on which you did not explicitly configure it, the unicast RPF flag is not displayed,
even though unicast RPF is implicitly enabled.
375
376
Chapter 23
Configuring Aggregated Ethernet Interfaces (J-Web Procedure) on page 387
Configuring Aggregated Ethernet LACP (CLI Procedure) on page 389
Setting the Mode on an SFP+ Uplink Module (CLI Procedure) on page 392
Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network.
To configure properties on a Gigabit Ethernet interface or a 10-Gigabit Ethernet
interface on an EX Series switch:
1.
From the Configure menu, select Interfaces > Ports.

The page lists Gigabit Ethernet and 10-Gigabit Ethernet interfaces and their link
status.
2.
Select the interface you want to configure. If the interface you want to configure
is not listed under Ports in the top table on the page, select the FPC (the FPC is
the line card on an EX8200 switch or the member switch in a Virtual Chassis
configuration) that includes that interface from the List Ports for FPC list.
Details for the selected interface such as administrative status, link status, speed,
duplex, and flow control are displayed in the bottom table on the page.
NOTE: You can select multiple interfaces and modify their settings at the same time.
When you do this, you cannot modify the IP address or enable or disable the
administrative status of the selected interface.
3.
Click Edit and select the set of options you want to configure first:
377
Port RoleEnables you to assign a profile for the selected interface.
VLAN OptionsEnables you to configure VLAN options for the selected

interface.
Link OptionsEnables you to modify the following link options for the
selected interface:
Speed
MTU
Autonegotiation
Flow Control
Duplex
IP OptionsEnables you to configure an IP address for the interface.
4.
Configure the interface by configuring options in the selected option set. See
Table 56 on page 378 for details on options.
5.
Repeat steps 3 and 4 for the remaining option sets that you want to configure
for the interface.
NOTE: To enable or disable the administrative status for a selected interface, click
Enable Port or Disable Port.
Table 56: Port Edit Options

Field
Function
Port Role
Specifies a profile (role) to assign

to the interface.
Your Action
NOTE: Once a port role is

configured on the interface, you
cannot specify VLAN options or
IP options.
NOTE: Only the following port
roles can be applied on EX8200
switch interfaces:
Default
Default
Layer 2 uplink
Routed uplink
Applies the default role.

The interface family is set to
ethernet-switching, port mode is
set to access, and RSTP is
enabled.
378
1.
Click Details to view CLI commands

for this role.
2.
Click OK.
Chapter 23: Configuring Interfaces
Table 56: Port Edit Options (continued)

Field
Function
Your Action
Desktop
Applies the desktop role.
1.
Select an existing VLAN configuration

or type the name of a new VLAN
configuration to be associated with
the interface.
2.

for this role.
3.
Click OK.
1.

the interface.

set to access, RSTP is enabled
with the edge and point-to-point
options, and port security
parameters (MAC limit =1;
dynamic ARP inspection and
DHCP snooping enabled) are set.
Desktop
and Phone
Applies the desktop and phone

role.
set to access, port security
parameters (MAC limit =1;
dynamic ARP Inspection and
DHCP snooping enabled) are set,
and recommended CoS
parameters are specified for
forwarding classes, schedulers,
and classifiers. See Table 57 on
page 382 for more CoS
information.
Wireless
Access
Point
Applies the wireless access point

role.
set to access, and RSTP is
enabled with the edge and
point-to-point options.
You can also select an existing VoIP

VLAN configuration or a new VoIP
VLAN configuration to be associated
with the interface.
2.

for this role.
3.
Click OK.
1.

the interface. Type the VLAN ID for a
new VLAN.
2.

for this role.
3.
Click OK.
379

Field
Function
Your Action
Routed
Uplink
Applies the routed uplink role.
The interface family is set to inet,

and recommended CoS
parameters are set for schedulers
and classifiers. See Table 57 on
page 382 for more CoS
information.
1.
2.
Type an IP address for example:

10.10.10.10.
3.
Enter the subnet mask or address

prefix. For example, 24 bits
represents 255.255.255.0.
4.
Click OK.
Layer 2
Uplink
Applies the Layer 2 uplink role.

set to trunk, RSTP is enabled with
the point-to-point option, and port
security is set to dhcp-trusted.
None
1.
2.
example:2001:ab8:85a3::8a2e:370:7334.
3.

prefix.
4.
Click OK.
1.
For this port role you can select a

VLAN member and associate a native
VLAN with the interface.
2.

for this role.
3.
Click OK.
Specifies that no port role is

configured for the selected
interface.
NOTE: See Port Role Configuration with the J-Web Interface (with CLI References) on page
405 for details on the CLI commands that are associated with each port role.
NOTE: For an EX8200 switch, dynamic ARP inspection and DHCP snooping parameters are
not configured.
VLAN Options
380

Field
Function
Your Action
Port Mode
Specifies the mode of operation

for the interface: trunk or access.
If you select Trunk, you can:
1.
Click Add to add a VLAN member.
2.
Select the VLAN and click OK.
3.
(Optional) Associate a native VLAN

with the interface.
If you select Access, you can:
1.
Select the VLAN member to be

associated with the interface.
2.
(Optional) Associate a VoIP VLAN with

the interface. Only a VLAN with a
VLAN ID can be associated as a VoIP
VLAN.
Click OK.
Link Options
MTU (bytes)
Specifies the maximum

transmission unit size for the
interface.
Type a value from 256 through 9216 . The

default MTU for Gigabit Ethernet interfaces
is 1514.
Speed
Specifies the speed for the mode.
Select one of the following values: 10 Mbps,

100 Mbps, or 1000 Mbps.
Duplex
Specifies the link mode.
Select one: automatic, half-duplex, or

full-duplex.
Description
Describes the link.
Enter a brief description for the link.
NOTE: If the interface is part of

a link aggregation group (LAG),
only the option Description is
enabled.
Enable
Auto
Negotiation
Enables or disables
autonegotiation.
Select the check box to enable

autonegotiation, or clear the check box to
disable it. By default, autonegotiation is
enabled.
Enable
Flow
Control
Enables or disables flow control.
Select the check box to enable flow control

to regulate the amount of traffic sent out
of the interface, or clear the check box to
disable flow control and permit
unrestricted traffic. Flow control is enabled
by default.
IP Options
381

Field
Function
Your Action
IPv4
Address
Specifies an IPv4 address for the

interface.
1.
To specify an IPv4 address, select the

check box IPv4 address.
NOTE: If the IP address is

cleared, the interface still
belongs to the inet family.
2.
Type an IP address for example:

10.10.10.10.
3.

prefix. For example, 24 bits
represents 255.255.255.0.
4.
Click OK.
Specifies an IPv6 address for the

interface.
1.
To specify an IPv6 address, select the

check box IPv6 address.
NOTE: If the IP address is

cleared, the interface still
belongs to the inet family.
2.
example:2001:ab8:85a3::8a2e:370:7334.
3.

prefix.
4.
Click OK.
IPv6
Address
Table 57: Recommended CoS Settings for Port Roles

CoS Parameter
Recommended Settings
Forwarding Classes
There are four forwarding classes:
Schedulers
voiceQueue number is set to 7.
expedited-forwardingQueue number is set to 5.
assured-forwardingQueue number is set to 1.
best-effortQueue number is set to 0.
The schedulers and their settings are:
Strict-priorityTransmission rate is set to 10 percent and buffer size to 5 percent.
Expedited-schedulerTransmission rate is set to 30 percent, buffer size to 30 percent,

and priority to low.
Assured-schedulerTransmission rate is set to 25 percent, buffer size to 25 percent,

Best-effort schedulerTransmission rate is set to 35 percent, buffer size to 40 percent,

Scheduler maps
When a desktop and phone, routed uplink, or layer 2 uplink role is applied on an interface,
the forwarding classes and schedulers are mapped using the scheduler map.
ieee-802.1 classifier
Imports the default ieee-802.1 classifier configuration and sets the loss priority to low for the
code point 101 for the voice forwarding class.
dscp classifier
Imports the default dscp classifier configuration and sets the loss priority to low for the code
point 101110 for the voice forwarding class.
382
Related Topics
JUNOS CoS for EX Series Switches Overview on page 1352

341
Configuring Gigabit Ethernet Interfaces (CLI Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network. EX Series switches include a factory default configuration that:
Enables all the network interfaces on the switch
Sets a default port mode (access)
Sets default link settings
Specifies a logical unit (unit 0) and assigns it to family ethernet-switching
Specifies Spanning Tree Protocol (STP) and Link Layer Discovery Protocol (LLDP)
Configuring VLAN Options and Port Mode on page 383
Configuring the Link Settings on page 384
Configuring the IP Options on page 385
Configuring the Interfaces on the Uplink Module in EX3200 and EX4200

Configuring VLAN Options and Port Mode

The factory default configuration includes a default VLAN and enables interfaces for
the access port mode. Access interfaces typically connect to network devices such
as PCs, printers, IP telephones, and IP cameras.
If you are connecting a desktop phone or wireless access point or a security camera
to a PoE port, you can configure some parameters for the PoE interface. The PoE
interfaces are enabled by default. For detailed information on the PoE settings, see
Configuring PoE (CLI Procedure) on page 1479.
If you are connecting a device to other switches and to routers on the LAN, you need
to assign the interface to a logical port and you need to configure the logical port as
a trunk port. See Port Role Configuration with the J-Web Interface (with CLI
References) on page 405 for more information about port configuration.
Configuring Gigabit Ethernet Interfaces (CLI Procedure)
383
To configure a Gigabit Ethernet interface or 10-Gigabit Ethernet interface for trunk

port mode:
[edit]
user@switch#set interfaces interface-name unit logical-unit-number family
ethernet-switching port-mode trunk
Configuring the Link Settings

EX Series switches include a factory default configuration that enables interfaces
with the following link settings:
384
All the Gigabit Ethernet interfaces are set to auto-negotiation.
The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to
operate at 10m, 100m or 1g. The link operates at the highest possible speed,
depending on the capabilities of the remote end.
The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces
is set to enabled.
The link mode is set to auto, allowing the interface to operate as either full duplex
or half duplex. The link operates as full duplex unless this mode is not supported
at the remote end.
The 10-Gigabit Ethernet interfaces (for the EX-UM-2XFP uplink module) default
to no auto-negotiation. The default speed is 10g and the default link mode is full
duplex.
Configuring the Link Settings
To configure the link settings:
Set link settings for a Gigabit Ethernet interface:

[edit]
user@switch# set interfaces ge-fpc/pic/port ether-options
Set link settings for a 10-Gigabit Ethernet interface:

[edit]
user@switch# set interfaces xe-fpc/1/port ether-options
NOTE: An uplink module in an EX Series switch is always PIC 1. The 10-Gigabit

Ethernet interface is available only with the EX-UM-2XFP uplink module.
The ether-options statement allows you to modify the configuration for:
802.3adSpecify an aggregated Ethernet bundle. See Configuring Aggregated

Ethernet Interfaces (CLI Procedure) on page 386.
auto-negotiationEnable or disable auto-negotation of flow control, link mode,

and speed.
flow-controlEnable or disable flow control.
link-modeSpecify full-duplex, half-duplex, or automatic.
speedSpecify 10m, 100m, 1g, or autonegotiation.
Configuring the IP Options

To specify an IP address for the logical unit:
[edit]
user@switch# set interfaces interface-name unit logical-unit-number family inet
address ip-address
Configuring the Interfaces on the Uplink Module in EX3200 and EX4200 Switches
By default, the interfaces on the ports on the uplink module installed in EX3200 or
EX4200 switches are enabled. You can disable the interfaces on the uplink module
using a CLI command.
To disable an interface on the uplink module:
[edit]
user@switch# set interfaces interface-name disable
where interface-name is the name of the interface you want to disable.
Configuring the IP Options
385
If an interface on the uplink module is disabled, you can enable the interface using
a CLI command.
To enable an interface on the uplink module:
[edit]
user@switch# set interfaces interface-name enable
where interface-name is the name of the interface you want to enable.

Related Topics
show interfaces ge-
show interfaces xe-

341
Uplink Modules in EX3200 and EX4200 Switches
Configuring Aggregated Ethernet Interfaces (CLI Procedure)

Use the link aggregation feature to aggregate one or more links to form a virtual link
or aggregation group. The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation as failure
occurs, and increases availability.
NOTE: An interface with an already configured IP address cannot form part of the
aggregation group.
To configure aggregated Ethernet interfaces, using the CLI:
1.
Specify the number of aggregated Ethernet interfaces to be created:

[edit chassis]
user@switch#set aggregated-devices device-count 2
2.
Specify the minimum number of links for the aggregated Ethernet interface (aex),
that is, the defined bundle, to be labeled up:
NOTE: By default only one link must be up for the bundle to be labeled up.
[edit interfaces]
user@switch#set ae0 aggregated-ether-options minimum-links 2
3.
386
Specify the link speed for the aggregated Ethernet bundle:
Configuring Aggregated Ethernet Interfaces (CLI Procedure)
[edit interfaces]
user@switch#set ae0 aggregated-ether-options link-speed 10g
4.
Specify the members to be included within the aggregated Ethernet bundle:

[edit interfaces]
user@switch#set xe-0/1/0 ether-options 802.ad ae0
user@switch#set xe-1/1/0 ether-options 802.ad ae0
5.
Specify an interface family for the aggregated Ethernet bundle:

[edit interfaces]
user@switch#set ae0 unit 0 family inet address 192.0.2.0/25
For information about adding LACP to a LAG, see Configuring Aggregated Ethernet
LACP (CLI Procedure) on page 389.
Related Topics


on page 234
Verifying the Status of a LAG Interface on page 396
Configuring Aggregated Ethernet Interfaces (J-Web Procedure)

Use the link aggregation feature to aggregate one or more Ethernet interfaces to form
a virtual link or link aggregation group (LAG). The MAC client can treat this virtual
link as if it were a single link. Link aggregation increases bandwidth, provides graceful
degradation as failure occurs, and increases availability.
NOTE: Interfaces that are already configured with MTU, duplex, flow control, or
logical interfaces are not available for aggregation.
To configure an aggregated Ethernet interface (also referred to as LAG):
1.
From the Configure menu, select Interfaces > Link Aggregation.

The list of aggregated interfaces is displayed.
2.
Click one of the following:
AddCreates an aggregated Ethernet interface, or LAG. Enter information
as specified in Table 58 on page 388.
EditModifies an selected LAG.
387
AggregationModifies settings for the selected LAG. Enter information
as specified in Table 58 on page 388
VLANSpecifies VLAN options for the selected LAG. Enter information
as specified in Table 59 on page 389.
DeleteDeletes the selected LAG.
Disable Port or Enable PortDisables or enables the administrative status on
the selected interface.
Table 58: Aggregated Ethernet Interface Options

Field
Function
Your Action
Aggregated Interface
Specifies the name of the aggregated

interface.
None. The name is supplied by the

software.
LACP Mode
Specifies the mode in which LACP

packets are exchanged between the
interfaces. The modes are:
Select from the list.
NoneIndicates that no mode is

applicable.
ActiveIndicates that the interface

initiates transmission of LACP
packets
PassiveIndicates that the interface

responds only to LACP packets.
Description
Specifies a description for the LAG.
Enter a description.
Interface
Specifies the interfaces in the LAG.
1.
Click Add to select the interfaces.
2.
Select an interface and click

Remove to remove from the list.
NOTE: Only interfaces that are

configured with the same speed can be
selected together for a LAG.
Enable Log
388
Specifies whether to enable generation

of log entries for the LAG.
Select the check box to enable log

generation, or clear the check box to
disable log generation.
Table 59: VLAN Options

Field
Function
Your Action
Port Mode
Specifies the mode of operation for the

port: trunk or access.
If you select Trunk, you can:
1.
Click Add to add a VLAN member.
2.
Select the VLAN and click OK.
3.
(Optional) Associate a native VLAN

ID with the port.
If you select Access, you can:
1.
Select the VLAN member to be

associated with the port.
2.
(Optional) Associate a VoIP VLAN

with the interface. Only a VLAN
with a VLAN ID can be associated
as a VoIP VLAN.
Click OK.
Related Topics


on page 234
Configuring Aggregated Ethernet LACP (CLI Procedure)

For aggregated Ethernet interfaces on EX Series switches, you can configure the Link
Aggregation Control Protocol (LACP). LACP is one method of bundling several physical
interfaces to form one logical interface. You can configure aggregated Ethernet with
or without LACP enabled.
Configured the aggregated ethernet bundles. See Configuring Aggregated

Ethernet Interfaces (CLI Procedure) on page 386
When LACP is enabled, the local and remote sides of the aggregated Ethernet links
exchange protocol data units (PDUs), containing information about the state of the
link. You can configure Ethernet links to actively transmit PDUs, or you can configure
the links to passively transmit them, sending out LACP PDUs only when they receive
Configuring Aggregated Ethernet LACP (CLI Procedure)
389
them from another link. One side of the link must be configured as active in order
for the link to be up.
To configure LACP:
1.
From the [edit interfaces interface-name aggregated-ether-options] hierarchy level,

enable one side of the link as active:
set ae x aggregated-ether-options lacp active

2.
Specify the interval at which the interfaces send LACP packets:
set ae x aggregated-ether-options lacp periodic fast
NOTE: Do not add LACP to a LAG if the remote side is a security device unless the
security device supports LACP. Security devices often do not support LACP since
they require a deterministic configuration.
Related Topics

on page 234

Configuring Unicast RPF (CLI Procedure)

Unicast reverse-path forwarding (RPF) can help protect your LAN from
denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted
interfaces. Enabling unicast RPF on the switch interfaces filters traffic with source
addresses that do not use the incoming interface as the best return path back to the
source. When a packet comes into an interface, if that interface is not the best return
path to the source, the switch discards the packet. If the incoming interface is the
best return path to the source, the switch forwards the packet.
NOTE: On EX Series switches, you can only enable unicast RPF globally, on all switch
interfaces. You cannot enable unicast RPF on a per-interface basis.
Before you begin:
390
Configuring Unicast RPF (CLI Procedure)
Ensure that all switch interfaces are symmetrically routed before you enable
unicast RPF on an interface. A symmetrically routed interface is an interface that
uses the same route in both directions between the source and the destination.
When you enable unicast RPF on any interface, it is enabled globally on all switch
interfaces. Do not enable unicast RPF on asymmetrically routed interfaces. An
asymmetrically routed interface uses different paths to send and receive packets
between the source and the destination.
To enable unicast RPF globally on all switch interfaces, you only need to configure
it explicitly on one interface. However, you can configure it explicitly on every
interface or only on some interfaces. Regardless of how many interfaces on which
you explicitly enable unicast RPF, unicast RPF is implicitly enabled globally after you
explicitly configure it on one interface.
We recommend that you enable unicast RPF explicitly on either all interfaces or only
one interface, but that you do not enable it on only some interfaces:
Enabling unicast RPF explicitly on only one interface makes it easier if you choose
to disable it in the future because you must explicitly disable unicast RPF on
every interface on which you explicitly enabled it. If you explicitly enable unicast
RPF on two interfaces and you disable it on only one interface, unicast RPF is
still implicitly enabled globally on the switch. The drawback to this approach is
that the switch displays unicast RPF status as enabled only on interfaces on
which unicast RPF is explicitly enabled, so even though unicast RPF is enabled
on all interfaces, its status does not display as enabled on all interfaces.
Enabling unicast RPF explicitly on all interfaces makes it easier to know if unicast
RPF is enabled on the switch because every interface shows the correct status.
(Only interfaces on which you explicitly enable unicast RPF display unicast RPF
as enabled.) The drawback to this approach is that if you want to disable unicast
RPF, you must explicitly disable it on every interface. If unicast RPF is enabled
on any interface, it is implicitly enabled on all interfaces.
To enable unicast RPF to filter incoming traffic on all switch interfaces by enabling
it on one interface:
[edit interfaces]
user@switch# set ge-1/0/10 unit 0 family inet rpf-check
Related Topics
Verifying Unicast RPF Status on page 399
Troubleshooting Unicast RPF on page 410
Disabling Unicast RPF (CLI Procedure)

Unicast reverse-path forwarding (RPF) can help protect your LAN from
denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted
interfaces. Unicast RPF filters traffic with source addresses that do not use the
Disabling Unicast RPF (CLI Procedure)
391
incoming interface as the best return path back to the source. If the network
configuration changes so that an interface that has unicast RPF enabled becomes a
trusted interface or becomes asymmetrically routed (the interface that receives a
packet is not the best return path to the packets source), you should disable unicast
RPF.
To disable unicast RPF on an EX Series switch, you must delete it from every interface
on which you explicitly configured it. If you attempt to delete unicast RPF from an
interface on which it was not explicitly enabled, the message warning: statement not
found displays. If you do not disable unicast RPF on every interface on which you
explicitly enabled it, unicast RPF remains implicitly enabled on all switch interfaces.
To disable unicast RPF on all switch interfaces, explicitly disable unicast RPF on every
interface on which it was explicitly enabled:
[edit interfaces]
user@switch# delete ge-1/0/10 unit 0 family inet rpf-check
Related Topics
Setting the Mode on an SFP+ Uplink Module (CLI Procedure)

SFP+ uplink modules are supported on EX3200 and EX4200 switches. You can use
these uplink modules either for two SFP+ transceivers or four SFP transceivers. You
configure the operating mode on the module to match the type of transceiver you
want to usethat is, for SFP+ transceivers, you configure the 10-gigabit operating
mode, and for SFP transceivers, you configure the 1-gigabit operating mode.
By default, the SFP+ uplink module operates in the 10-gigabit mode and supports
only SFP+ transceivers. If you have not changed the module from the default setting
and you want to use SFP+ transceivers, you do not need to configure the operating
mode.
To set the operating mode of an SFP+ uplink module:
1.
Change the operating mode to the appropriate mode for the transceiver type
you want to use by using one of the following commands:
[edit]
user@switch# set chassis fpc 0 pic 1 sfpplus pic-mode 1g
[edit]
user@switch# set chassis fpc 0 pic 1 sfpplus pic-mode 10g
2.
392
Reboot the switch.
If you commit the configuration but then do not reboot the switch, the new
configuration does not take effectthat is, the operating mode of the uplink module
is not changed. You can see whether the operating mode has been changed to the
new mode you configured by issuing the show chassis pic fpc-slot slot number pic-slot
1 command.
Related Topics
Optical Interface Support in EX3200 and EX4200 Switches
393
394
Chapter 24
Verifying Interfaces
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets on page 397
Verifying That Layer 3 Subinterfaces Are Working on page 398
Monitoring Interface Status and Traffic

Purpose
Use the monitoring functionality to view interface status or to monitor interface

bandwidth utilization and traffic statistics on the EX Series switches.
The J-Web interface monitors interface bandwidth utilization and plots real-time
charts to display input and output rates in bytes per second. In addition, the Interface
monitoring page displays input and output packet counters and error counters in the
form of charts.
Alternatively, you can enter the show commands in the CLI to view interface status
and traffic statistics.
Action
To view general interface information in the J-Web interface such as available

interfaces, select Monitor > Interfaces. Click any interface to view details about its
status.
In order to set up interface monitoring for Virtual Chassis and EX8200 switches,
select a member from the Port for FPC list. Details such as the admin status and link
status are displayed in the table.
NOTE: By default, the details of the first member in the Port for FPC drop-down list
is displayed.
You have the following options:
Start/StopStarts or stops monitoring the selected interface.
Show GraphDisplays input and output packet counters and error counters in
the form of charts. Also, click on the pop-up icon to view the graph in a separate
window.
Monitoring Interface Status and Traffic
395
Clear StatisticsClears the statistics for the interface selected from the table.
Using the CLI:
Meaning
To view interface status for all the interfaces, enter show interfaces xe- .
To view status and statistics for a specific interface, enter show interfaces xeinterface-name .
To view status and traffic statistics for all interfaces, enter either show interfaces
xe- detail or show interfaces xe- extensive.
In the J-Web interface the charts displayed are:
Bar chartsDisplay the input and output error counters.
Pie chartsDisplay the number of broadcast, unicast, and multicast packet

counters.
For details about output from the CLI commands, see show interfaces ge- (Gigabit
Ethernet) or show interfaces xe- (10-Gigabit Ethernet).
Related Topics
Verifying the Status of a LAG Interface

Purpose
Action
Verify that a LAG (ae0) has been created on the switch.

show interfaces aeo terse
Interface
Meaning
Related Topics
396
Admin
Link
ae0
up
up
ae0.0
up
up
Proto
inet
Local
Remote
10.10.10.2/24

Verifying the Status of a LAG Interface
Chapter 24: Verifying Interfaces
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets
To verify that LACP has been set up correctly and that the bundle members are
transmitting LACP protocol packets.
1. Verifying the LACP Setup on page 397
2. Verifying That the LACP Packets Are Being Exchanged on page 397
Verifying the LACP Setup

Purpose
Action
Verify that the LACP has been set up correctly.

show lacp interfaces xe-0/1/0
show lacp interfaces xe-0/1/0
LACP state:
Role
Def
Dist
Col
Syn
Aggr
Timeout
Activity
xe-0/1/0
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
LACP protocol:
xe-0/1/0
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
This example shows that LACP has been configured with one side as active and the
other as passive. When LACP is enabled, one side must be set as active in order for
the bundled link to be up.

Purpose
Action
Verify that LACP packets are being exchanged between interfaces.

Use the show interfaces aex statistics command to display LACP BPDU exchange
information.
show interfaces ae0 statistics
Device flags
: Present Running
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets
397

Last flapped
: Never
Input packets : 0
Output packets: 0
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet,
Flags: None
Meaning
Related Topics
The output here shows that the link is down and that no PDUs are being exchanged
(when there is no other traffic flowing on the link).

on page 234
Verifying That Layer 3 Subinterfaces Are Working

Purpose
Action
After configuring Layer 3 subinterfaces, verify they are set up properly and
transmitting data.
1.
Use the show interfaces command to determine if you successfully created the
subinterfaces and the links are up:
user@switch> show interfaces ge-chassis/slot/port terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.32767
2.
Admin
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
Remote
Use the ping command from a device on one subnet to an address on another
subnet to determine if packets were transmitted correctly on the subinterface
VLANs:
user@switch> ping ip-address
398
Link
up
up
up
up
up
up
up
Verifying That Layer 3 Subinterfaces Are Working
PING 1.1.1.1 (1.1.1.1): 56 data bytes

64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.157 ms
Meaning
Related Topics
The output confirms that the subinterfaces are created and the links are up.

Verifying Unicast RPF Status

Purpose
Action
Verify that unicast reverse-path forwarding (RPF) is enabled and is working on the
interface.
Use either the show interfaces ge- extensive command or the show interfaces ge- detail
command to verify that unicast RPF is enabled and working on the switch. The
example below displays output from the show interfaces ge- extensive command.
Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab
Last flapped
: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
Output errors:
399

Queue counters:
Queued packets
Transmitted packets
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont
Active alarms : LINK

Active defects : LINK
MAC statistics:
Receive
Total octets
0
Total packets
0
Unicast packets
0
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
Output packet pad count
Output packet error count
CAM destination filters: 0, CAM source filters: 0
Negotiation status: Incomplete
Destination slot: 1
Transmit
0
0
0
0
0
0
0
0
0
0
0
0
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
0 bps
400
Output bytes :
0
Input packets:
0
Output packets:
0
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Protocol inet, Generation: 144, Route table: 0
Flags: uRPF
Addresses, Flags: Is-Preferred Is-Primary
Meaning
0 bps
0 pps
0 pps
The show interfaces ge-1/0/10 extensive command (and the show interfaces ge-1/0/10
detail command) displays in-depth information about the interface. The Flags: output
field near the bottom of the display reports the unicast RPF status. If unicast RPF
has not been enabled, the uRPF flag does not display.
NOTE: The unicast RPF status displays as enabled only on interfaces for which you
have explicitly configured unicast RPF. When you enable unicast RPF on one interface,
it is automatically enabled on all switch interfaces including LAGs and RVIs. However,
the uRPF flag does not display on interfaces for which you have not explicitly
configured unicast RPF even though unicast RPF is implicitly enabled on those
interfaces.
Related Topics
show interfaces xe-
401
402
Chapter 25
Troubleshooting an Aggregated Ethernet Interface on page 403
Troubleshooting Network Interfaces on EX3200 and EX4200 Switches on page 404
Port Role Configuration with the J-Web Interface (with CLI References) on page 405
Troubleshooting Interface Configuration and Cable Faults on page 409

Troubleshooting an Aggregated Ethernet Interface

Problem
The show interfaces terse command shows that the LAG is down.
Solution
Related Topics
Verify that a LAG is part of family ethernetswitching (Layer 2 LAG) or family

inet (Layer 3 LAG).
Chassis).


on page 234
Troubleshooting an Aggregated Ethernet Interface
403
Troubleshooting Network Interfaces on EX3200 and EX4200 Switches

This topic provides troubleshooting information for specific problems related to
interfaces on EX3200 and EX4200 switches.
The interface on one of the last four built-in network ports in an EX3200 switch
(for example, interface ge-0/0/23) is down on page 404
The interface on the port in which an SFP or SFP+ transceiver is installed in an

SFP+ uplink module is down on page 404
The interface on one of the last four built-in network ports in an EX3200 switch (for
example, interface ge-0/0/23) is down
Problem
The interface on one of the last four built-in ports (ge-0/0/20 through ge-0/0/23 on
24-port models or ge-0/0/44 through ge-0/0/47 on 48-port models) of an EX3200
switch is down.
An SFP or SFP+ uplink module is installed in the switch and a transceiver is installed
in one of the ports on the uplink module.
When you check the status with the CLI command show interfaces ge- or with the
J-Web user interface, the disabled port is not listed.
Cause
The last four built-in ports use the same ASIC as the SFP uplink module. Therefore,
if you install a transceiver in an SFP or SFP+ uplink module installed in an EX3200
switch, a corresponding base port from the last four built-in ports is disabled.
Solution
If you need to use the disabled built-in port, you must remove the transceiver from
the SFP or SFP+ uplink module. Alternatively, you can install an XFP uplink module
instead of an SFP or SFP+ uplink module. There is no conflict between the built-in
network ports and the ports on the XFP uplink modules.
The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+
uplink module is down
Problem
The interface on the port in which an SFP or SFP+ transceiver is installed in an

SFP+ uplink module installed in an EX3200 or EX4200 switch is down.
Cause
Solution
404
By default, the SFP+ uplink module operates in the 10-gigabit mode and supports
only SFP+ transceivers. The operating mode for the module is incorrectly set.
Either SFP+ or SFP transceivers can be installed in SFP+ uplink modules. You must
configure the operating mode of the SFP+ uplink module to match the type of
transceiver you want to use. For SFP+ transceivers, configure the 10-gigabit operating
mode and for SFP transceivers, configure the 1-gigabit operating mode. See Setting
the Mode on an SFP+ Uplink Module (CLI Procedure) on page 392.
Troubleshooting Network Interfaces on EX3200 and EX4200 Switches
Chapter 25: Troubleshooting Interfaces
Related Topics

Removing a Transceiver from an EX Series Switch
Port Role Configuration with the J-Web Interface (with CLI References)
When you configure Gigabit Ethernet interface properties with the J-Web interface
(Configure > Interfaces) you can optionally select pre-configured port roles for those
interfaces. When you select a role from the Port Role field and apply it to a port, the
J-Web interface modifies the switch configuration using CLI commands. Table 60 on
page 405 lists the CLI commands applied for each port role.
NOTE: If there is an existing port role configuration, it is cleared before the new port
role configuration is applied.
Table 60: Port Role Configuration Summary

Configuration Description
CLI Commands
Default Port Role

Set the port role to Default.
set interfaces interfaceapply-macro juniper-port-profile

Default
Set port family to ethernet-switching.
set interfaces interface unit 0 family ethernet-switching

port-mode access
Set port mode to access.

Enable RSTP if redundant trunk groups are not
configured.
delete protocols rstp interface interface disable
Disable RSTP if redundant trunk groups are

configured.
set protocols rstp interface interface disable
Desktop Port Role

Set the port role to desktop.
set interfaces interface apply-macro juniper-port-profile

Desktop
Set VLAN if new VLAN is specified.
set vlans <vlan name> vlan-id <vlan-id>

port-mode access
Set Port Mode to Access.
405
Table 60: Port Role Configuration Summary (continued)

CLI Commands
Set VLAN if new VLAN is specified.

vlan members vlan-members
Set port security parameters.
set ethernet-switching-options secure-access-port vlan

MacTest arp-inspection
Set RSTP protocol with edge option.
set protocols rstp interface interface edge
RSTP protocol is disabled if redundant trunk groups

are configured.
Desktop and Phone Port Role

Set the port role to desktop and phone.
set interfaces interfaceapply-macro juniper-port-profile

Desktop and Phone
Set data VLAN if new VLAN is specified.
set vlans vlan-namevlan-id vlan id
Set voice VLAN if new voice VLAN is specified.

set interfaces interfaceunit 0 family ethernet-switching

port-mode access
Set Port Mode to access.

Set data VLAN on port stanza.

Set port security parameters.
set ethernet-switching-options secure-access-port vlan

MacTest arp-inspection
Set VOIP VLAN.
set ethernet-switching-options voip interface interface.0

vlan vlan vlan name
Set class of service parameters
set class-of-service interfaces interfacescheduler-map

juniper-port-profile-map
set class-of-service interfaces interface unit 0
classifiers ieee-802.1 juniper_ieee_classifier
set class-of-service interfaces interfaceunit 0
classifiers dscp juniper-dscp-classifier
SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper-ieee-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier
Set CoS Configuration
Refer Table 61 on page 408 for details.
Wireless Access Point Port Role

Set the port role to wireless access point.

Wireless Access Point
Set VLAN on VLANs stanza.
set vlans vlan namevlan-id vlan-id
Set port family to ethernet-ewitching

port-mode access
Set port mode to Access.

Set VLAN on port stanza.

Set RSTP protocol with edge option.
set protocols rstp interface interface edge
406
Table 60: Port Role Configuration Summary (continued)

CLI Commands
RSTP protocol is disabled if redundant trunk groups

are configured.
Routed Uplink Port Role

Set the port role to Routed Uplink.

Routed Uplink
Set port family to inet.
set interfaces interfaceunit 0 family inet address

ipaddress
Set IP address on the port.

Set class-of-service parameters

IEEE_CLASSIFIER=juniper-ieee-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier
Set CoS configuration
Refer Table 61 on page 408 for details.
Layer 2 Uplink Port Role

Set the port role to Layer 2 Uplink.

Layer2 Uplink
Set port family to ethernet-switching

port-mode trunk
Set port mode to trunk.

Set Native VLAN name.

native-vlan-id vlan-name
Set the port as part of all valid VLANs; valid" refers

to all VLANs except native VLAN and voice VLANs.

Set port security parameter.
set ethernet-switching-options secure-access-port

dhcp-trusted
Set RSTP protocol with point-to-point option.
set protocols rstp interface interface mode point-to-point
Disable RSTP if redundant trunk groups are

configured.
Set class-of-service parameters.

IEEE_CLASSIFIER=juniper_ieee_classifier
DSCP_CLASSIFIER=juniper_dscp_classifier
Set CoS configuration
Refer to Table 61 on page 408 for details.
407
Table 61 on page 408 lists the CLI commands for the recommended CoS settings that
are committed when the CoS configuration is set.
Table 61: Recommended CoS Settings for Port Roles
CoS Parameter
CLI Command
Forwarding Classes
voice
set class-of-service forwarding-classes class voice queue-num 7
expedited-forwarding
set class-of-service forwarding-classes class expedited-forwarding queue-num

5
assured-forwarding
set class-of-service forwarding-classes class assured-forwarding queue-num

1
best-effort
set class-of-service forwarding-classes class best-effort queue-num 0
Schedulers
strict-priority-scheduler
The CLI commands are:
set class-of-service schedulers

strict-priority-scheduler transmit-rate
percent 10

strict-priority-scheduler buffer-size percent
5

strict-priority-scheduler priority
strict-high
expedited-scheduler

expedited-scheduler transmit-rate percent 30

expedited-scheduler buffer-size percent 30

expedited-scheduler priority low
assured-scheduler

set class-of-service schedulers assured-scheduler transmit-rate percent 25
set class-of-service schedulers strict-priority-scheduler buffer-size percent
25
set class-of-service schedulers strict-priority-scheduler priority low
408
Table 61: Recommended CoS Settings for Port Roles (continued)

CoS Parameter
CLI Command
best-effort-scheduler

set class-of-service schedulers best-effort-scheduler transmit-rate percent
35
set class-of-service schedulers best-effort-scheduler buffer-size percent
40
set class-of-service schedulers best-effort-scheduler priority low
Classifiers
The classifiers are:

set class-of-service classifiers ieee-802.1 juniper_ieee_classifier import
default forwarding-class voice loss-priority low code-points 101
set class-of-service classifiers dscp juniper_dscp_classifier import default
forwarding-class voice loss-priority low code-points 101110
Related Topics
Troubleshooting Interface Configuration and Cable Faults

Troubleshooting interface configuration and connectivity on the EX Series switch:
1. Interface Configuration or Connectivity Is Not Working on page 409
Interface Configuration or Connectivity Is Not Working

Problem
You encounter errors when you attempt to configure an interface on the switch, or
the interface is exhibiting connectivity problems.
Solution
Use the port troubleshooter feature in the J-Web interface to identify and rectify port
configuration and connectivity related problems.
To use the J-Web interface port troubleshooter:
1.
Select the option Troubleshoot from the main menu.
2.
Click Troubleshoot Port. The Port Troubleshooting wizard is displayed. Click Next.
3.
Select the ports to troubleshoot.
4.
Select the test cases to be executed on the selected port. Click Next.
When the selected test cases are executed, the final result and the recommended
action is displayed.
If there is a cable fault, the port troubleshooter displays details and the recommended
action. For example, the cable must be replaced.
If the port configuration needs to be modified, the port troubleshooter displays details
and the recommended action.
Troubleshooting Interface Configuration and Cable Faults
409
Related Topics
Troubleshooting Unicast RPF

Troubleshooting issues for unicast reverse-path forwarding (RPF) on EX Series switches
include:
1. Legitimate Packets Are Discarded on page 410
Legitimate Packets Are Discarded

Problem
The switch filters valid packets from legitimate sources, which results in the switch's
discarding packets that should be forwarded.
Solution
The interface or interfaces on which legitimate packets are discarded are

asymmetrically routed interfaces. An asymmetrically routed interface uses different
paths to send and receive packets between the source and the destination, so the
interface that receives a packet is not the same interface the switch uses to reply to
the packet's source.
Unicast RPF works properly only on symmetrically routed interfaces. A symmetrically
routed interface is an interface that uses the same route in both directions between
the source and the destination. Unicast RPF filters packets by checking the forwarding
table for the best return path to the source of an incoming packet. If the best return
path uses the same interface as the interface that received the packet, the switch
forwards the packet. If the best return path uses a different interface than the interface
that received the packet, the switch discards the packet.
To avoid having the switch discard legitimate packets, ensure that all switch interfaces
(including LAGs and RVIs) are symmetrically routed before you enable unicast RPF,
because unicast RPF is enabled globally on all switch interfaces. If one or more switch
interfaces are asymmetrically routed, do not enable unicast RPF on the switch.
Related Topics
410
show interfaces ge- (for Gigabit Ethernet interfaces)
show interfaces xe- (for 10 Gigabit Ethernet interfaces)
Troubleshooting Unicast RPF
Troubleshooting Uplink Module Installation or Replacement on EX3200 and EX4200

Switches
This topic provides troubleshooting information for specific problems related to
uplink module ports on EX3200 and EX4200 switches.
1. Switch does not detect the uplink module installed in the switch on page 411
2. Virtual Chassis port (VCP) connection does not work on page 411
3. One of the last four network ports on an EX3200 switch with an SFP or SFP+
uplink module installed is disabled on page 411
Switch does not detect the uplink module installed in the switch
Problem
Cause
Solution
Though an uplink module is installed in an EX3200 or EX4200 switch, the switch

does not detect the uplink module.
No interfaces are created.
Output from the show chassis command does not display the uplink module.
The switch was booted without the uplink module installed in the switch or the switch
was booted with an uplink module of a different type installed in the switch.
Reboot the switch.
Virtual Chassis port (VCP) connection does not work

Problem
The Virtual Chassis port (VCP) connection configured in an EX4200 switch does not
work.
A port of the uplink module is set as a VCP.
Cause
Solution
The uplink module installed in the switch was replaced.

Set a port in the uplink module as a VCP. See Setting an Uplink Module Port as a
Virtual Chassis Port (CLI Procedure) on page 276.
One of the last four network ports on an EX3200 switch with an SFP or SFP+ uplink module
installed is disabled
Problem
One of the last four built-in ports (ge-0/0/20 through ge-0/0/23 on 24-port models
or ge-0/0/44 through ge-0/0/47 on 48-port models) of an EX3200 switch with an
SFP or SFP+ uplink module installed in it is disabled.
Cause
The last four built-in ports use the same ASIC as the SFP uplink module. Therefore,
if you install a transceiver in an SFP or SFP+ uplink module installed in an EX3200
switch, a corresponding base port from the last four built-in ports is disabled.
Troubleshooting Uplink Module Installation or Replacement on EX3200 and EX4200 Switches
411
Solution
Related Topics
412
If you need to use the disabled built-in port, you must remove the transceiver from
the SFP or SFP+ uplink module. Alternatively, you can install an XFP uplink module
instead of an SFP or SFP+ uplink module. There is no conflict between the built-in
network ports and the ports on the XFP uplink modules.
Removing a Transceiver from an EX Series Switch
Understanding Virtual Chassis Hardware Configuration on an EX4200 Switch
One of the last four network ports on an EX3200 switch with an SFP or SFP+ uplink module installed is disabled
Chapter 26
Configuration Statements for Interfaces
Interface Configuration Statement Hierarchy on page 413
Individual Interface Configuration Statements on page 415
Interface Configuration Statement Hierarchy
[edit chassis] Configuration Statement Hierarchy on page 413

chassis {
ethernet {
}
}
}
Related Topics
JUNOS Software Hierarchy and RFC Reference at


interfaces {
aex {
lacp mode {
periodic interval;
}
}
}
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
Interface Configuration Statement Hierarchy
413
}
mtu bytes;
( family ccc; |
port-mode mode;
vlan {
}
}|
family mpls; )
proxy-arp;
}
vlan-tagging;
}
}
Related Topics

414
Chapter 26: Configuration Statements for Interfaces
Individual Interface Configuration Statements

802.3ad
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
802.3ad aex;
[edit interfaces interface-name ether-options]

Specify the aggregated Ethernet logical interface number.
aexAggregated Ethernet logical interface number.
interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.


on page 234

Individual Interface Configuration Statements
415
aggregated-devices
Syntax
Hierarchy Level
Release Information
Description
ethernet {
}
}
[edit chassis]

Configure properties for aggregated devices on the switch.
Default
Related Topics
Disabled.
JUNOS Network System Basics Configuration Guide at

416

aggregated-devices
aggregated-ether-options
Syntax
Hierarchy Level
Release Information
Description
lacp mode {
periodic interval;
}
}
[edit interfaces aex]

Configure properties specific to a specific aggregated Ethernet interface.
Default
Related Topics
Options are not enabled.



on page 234

aggregated-ether-options
417
auto-negotiation
Syntax
Hierarchy Level
Release Information
Description
(auto-negotiation | no-auto-negotiation);

Explicitly enable or disable autonegotiation.
auto-negotiationEnable autonegotiation.
no-auto-negotiationDisable autonegotiation. When autonegotiation is disabled,
you must explicitly configure link mode and speed options.

Default

Related Topics
Autonegotiation is automatically enabled. No explicit action is taken after the

autonegotiation is complete or if the negotiation fails.

418
auto-negotiation
chassis
Syntax
Hierarchy Level
Release Information
Description
chassis {
ethernet {
}
}
}
[edit]

Configure chassis-specific properties. Most standard JUNOS configuration statements
are available in the JUNOS for EX Series software. This page lists JUNOS statements
that you commonly use when configuring EX Series software as well as statements
added to support only EX Series switches.

Related Topics

JUNOS Network System Basics Configuration Guide at

chassis
419
description
Syntax
Hierarchy Level
Release Information
Description
description text;
[edit interfaces ge-chassis/slot/port]

Provide a textual description of the interface or the logical unit. Any descriptive text
you include is displayed in the output of the show interfaces commands, and is also
exposed in the ifAlias Management Information Base (MIB) object. It has no effect
on the operation of the interface or the switch.
Default
No textual description is configured
Options
textText to describe the interface. If the text includes spaces, enclose the entire
text in straight quotation marks.

Related Topics


420
description
device-count
Syntax
Hierarchy Level
Release Information
Description
[edit chassis aggregated-devices ethernet]

Range updated in JUNOS Release 9.5 for EX Series switches.
Configure the number of aggregated logical devices available to the switch.
Default
There is no default. You must configure a value.
Options
numberMaximum number of Ethernet logical interfaces on the switch.
Range: 0 through 127 for EX3200 and EX4200 switches;

0 through 254 for EX8200 switches
Related Topics


JUNOS Software Network System Basics Configuration Guide at

device-count
421
ether-options
Syntax
Hierarchy Level
Release Information
Description
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
}
[edit interfaces interface-name]

Configure ether-options properties for a Gigabit Ethernet interface on the EX Series
switch.
Default
Related Topics
Enabled.

422
ether-options
family ccc
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
family ccc;
[edit interfaces ge-chassis/slot/port unit logical-unit-number]

Configure the logical interface as a circuit cross-connect (CCC).
You must configure a logical interface to be able to use the physical device.
Example: Configuring MPLS on EX Series Switches on page 1511
Configuring MPLS on Provider Edge Switches (CLI Procedure) on page 1530
JUNOS Software MPLS Applications Configuration Guide at

family ccc
423
family ethernet-switching
Syntax
Hierarchy Level
Release Information
Description
port-mode mode;
vlan {
members [ (all | names | vlan-ids) ];
}
}

Configure Ethernet switching protocol family information for the logical interface.
Default
Related Topics

424
family ethernet-switching
family mpls
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
family mpls;

Configure MPLS protocol family information for the logical interface.
Configuring MPLS on Provider Switches (CLI Procedure) on page 1535

family mpls
425
filter
Syntax
Hierarchy Level
Release Information
Description
filter (input | output) filter-name;

[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.
Default
All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options
filter-name Name of a firewall filter defined in the filter statement.

Related Topics
inputApply a firewall filter to traffic entering the port or Layer 3 interface.
outputApply a firewall filter to traffic exiting the Layer 3 interface.

Configuring Firewall Filters (J-Web Procedure) on page 1307

426
filter
flow-control
Syntax
Hierarchy Level
Release Information
Description
(flow-control | no-flow-control);

Explicitly enable flow control, which regulates the flow of packets from the switch
to the remote side of the connection, or disable it.
flow-controlEnable flow control; flow control is useful when the remote device
is a Gigabit Ethernet switch.
Default
Related Topics
no-flow-controlDisable flow control.
Flow control enabled.


flow-control
427
lacp
Syntax
Hierarchy Level
Release Information
Description
lacp mode {
periodic interval;
}
[edit interfaces aex aggregated-ether-options]

Configure the Link Aggregation Control Protocol (LACP).
Default
LACP is not enabled.
Options
mode LACP mode:
activeInitiate transmission of LACP packets
passiveRespond to LACP packets
The remaining statement is explained separately.

Related Topics


on page 234

428
lacp
link-mode
Syntax
Hierarchy Level
Release Information
Description
link-mode mode;

Set the devices link-connection characteristic.
Default
The automatic mode is enabled.
Options
mode Link characteristic:
full-duplexConnection is full duplex.
half-duplexConnection is half duplex.
automaticLink mode is negotiated.
If no-auto-negotiation is specified in ether-options, you can select only full-duplex or

half-duplex. If auto-negotiation is specified in ether-options, you can select any
mode.
Related Topics


link-mode
429
members
Syntax
Hierarchy Level
Release Information
Description

[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching
vlan]

Statement updated with enhanced ? (CLI completion feature) functionality in JUNOS
For trunk interfaces, configure the VLANs for which the interface can carry traffic.
TIP: To display a list of all configured VLANs on the system, including VLANs that
are configured but not committed, type ? after vlan or vlans in your configuration
mode command line. Note that only one VLAN is displayed for a VLAN range.
Options
allSpecifies that this trunk interface is a member of all the VLANs that are configured
on this switch. When a new VLAN is configured on the switch, this trunk interface
automatically becomes a member of the VLAN.
NOTE: Each VLAN that is configured must have a specified VLAN ID when you attempt
to commit the configuration; otherwise, the configuration commit fails. Also, all
cannot be the name of a VLAN on the switch.
names Name of one or more VLANs.
vlan-ids Numeric identifier of one or more VLANs. For a series of tagged VLANs,
specify a range; for example, 10-20 or 10-20 23 27-30.
Related Topics
430
members

show ethernet-switching interfaces
show vlans
483
Creating a Series of Tagged VLANs (CLI Procedure) on page 549
Understanding Bridging and VLANs on EX Series Switches on page 467

mtu
Syntax
Hierarchy Level
Release Information
Description
mtu bytes;

Maximum transmission unit (MTU) size for the media. Changing the media MTU
causes an interface to be deleted and added again.
Default
1514 bytes
Options
bytes MTU size.
Range: 64 through 9216 bytes

Default: 1514 bytes
Related Topics


mtu
431
native-vlan-id
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
ethernet-switching]

Configure the VLAN identifier to associate with untagged packets received on the
interface.
vlan-idNumeric identifier of the VLAN.
Configuring Interfaces on EX-series Switches (CLI Procedure)

432
native-vlan-id
periodic
Syntax
Hierarchy Level
Release Information
Description
periodic interval;
[edit interfaces aex aggregated-ether-options lacp]

Configure the interval for periodic transmission of LACP packets.
Default
fast
Options
interval Interval at which to periodically transmit LACP packets:

Related Topics
fastTransmit packets every second. This is the default.
slowTransmit packets every 30 seconds.


on page 234

periodic
433
port-mode
Syntax
Hierarchy Level
Release Information
Description
port-mode mode;

Configure whether an interface on the switch operates in access or trunk mode.
Default
All switch interfaces are in access mode.
Options
accessHave the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices

such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Related Topics


434
port-mode
rpf-check
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
rpf-check;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family inet]

Enable a reverse-path forwarding check on unicast traffic (except ECMP packets) on
all ingress interfaces.
Unicast RPF is disabled on all interfaces.
rpf-check
435
speed
Syntax
Hierarchy Level
Release Information
Description
Default
Options


Configure the interfaces speed:
If the auto-negotiation statement at the [edit interfaces interface-name ether-options]
hierarchy level is enabled, the auto-negotiation option is enabled by default.
speed Specify the interface speed. If the auto-negotiation statement at the [edit
interfaces interface-name ether-options] hierarchy level is disabled, you must
specify a specific value. This value sets the speed that is used on the link. If the
auto-negotiation statement is enabled, you might want to configure a specific
speed value to advertise the desired speed to the remote end.
10m10 Mbps
100m100 Mbps
1g1 Gbps
auto-negotiationAutomatically negotiate the speed based on the speed of the
other end of the link. This option is available only when the auto-negotiation
statement at the [edit interfaces interface-name ether-options] hierarchy level is
enabled.
Related Topics


436
speed
unit
Syntax
Hierarchy Level
Release Information
Description
( family ccc; |
port-mode mode;
vlan {
}
}|
family mpls; )
proxy-arp;
}
[edit interfaces ge-chassis/slot/port]

Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.
Default
Options
logical-unit-numberNumber of the logical unit.

Range: 0 through 16,384

Related Topics


unit
437
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan {
}

For Gigabit Ethernet and aggregated Ethernet interfaces, bind an 802.1Q VLAN tag
ID to a logical interface.

Related Topics


page 490
Configuring Routed VLAN Interfaces (CLI Procedure) on page 547

438
vlan
vlan-id
Syntax
Hierarchy Level
Release Information
Description

For Gigabit Ethernet and aggregated Ethernet interfaces only, bind an 802.1Q VLAN
tag ID to a logical interface.
NOTE: The VLAN tag ID cannot be configured on logical interface unit 0. The logical
unit number must be 1 or higher.
Options
vlan-id-numberA valid VLAN identifier.

Related Topics

vlan-tagging


vlan-id
439
vlan-tagging
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
vlan-tagging;
[edit interfaces ge-chassis/pic/port ]

Enable VLAN tagging. The platform will receive and forward single-tag frames with
802.1Q VLAN tags.
VLAN tagging is disabled by default.
vlan-id


440
vlan-tagging
Chapter 27
Operational Mode Commands for

Interfaces
441
show interfaces geSyntax
Release Information
Description
Options
show interfaces ge-fpc/pic/port

<brief | detail | extensive | terse>
<descriptions>
<media>
<snmp-index snmp-index>
<statistics>

Display status information about the specified Gigabit Ethernet interface.
ge-fpc/pic/port Display standard information about the specified Gigabit Ethernet
interface.
brief | detail | extensive | terse(Optional) Display the specified level of output.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index (Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Related Topics
view
Troubleshooting Network Interfaces on EX3200 and EX4200 Switches on page

404

Output Fields
show
show
show
show
interfaces
interfaces
interfaces
interfaces
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/4
on page 448
brief on page 449
detail on page 449
Table 62 on page 442 lists the output fields for the show interfaces ge- command.
Table 62: show interfaces ge- Output Fields

Field Name
Field Description
Level of Output
Name of the physical interface.
All levels
Physical Interface
Physical interface
442
show interfaces ge-
Chapter 27: Operational Mode Commands for Interfaces
Table 62: show interfaces ge- Output Fields (continued)

Field Name
Field Description
Level of Output
Enabled
State of the interface: Enabled or Disabled.
All levels
Interface index
Index number of the physical interface, which reflects its initialization sequence.
detail extensive none
SNMP ifIndex
SNMP index number for the physical interface.
Generation
Unique number for use by Juniper Networks technical support only.
detail extensive
Description
Optional user-specified description.
brief detail extensive
Link-level type
Encapsulation being used on the physical interface.
All levels
MTU
Maximum transmission unit size on the physical interface. Default is 1514.
All levels
Speed
Speed at which the interface is running.
All levels
Loopback
Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback:

Local or Remote.
All levels
Source filtering
Source filtering status: Enabled or Disabled.
All levels
Flow control
Flow control status: Enabled or Disabled.
All levels
Auto-negotiation
Autonegotiation status: Enabled or Disabled.
All levels
Remote-fault
Remote fault status:
All levels
OnlineAutonegotiation is manually configured as online.
OfflineAutonegotiation is manually configured as offline.
Device flags
Information about the physical device.
All levels
Interface flags
Information about the interface.
All levels
Link flags
Information about the link.
All levels
CoS queues
Number of CoS queues configured.
Hold-times
Current interface hold-time up and hold-time down, in milliseconds.
detail extensive
Current address
Configured MAC address.
Hardware address
MAC address of the hardware.
Last flapped
Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).
Statistics last
cleared
Time when the statistics for the interface were last set to zero.
detail extensive
show interfaces ge-
443

Field Name
Field Description
Level of Output
Traffic statistics
Number and rate of bytes and packets received and transmitted on the physical
interface.
detail extensive
Input bytesNumber of bytes received on the interface.
Output bytesNumber of bytes transmitted on the interface.
Input packetsNumber of packets received on the interface
Output packetsNumber of packets transmitted on the interface.
NOTE: The bandwidth bps counter is not enabled on this platform.

Input errors
Input errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:
ErrorsSum of the incoming frame aborts and FCS errors.
DropsNumber of packets dropped by the input queue of the I/O Manager
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
Framing errorsNumber of packets received with an invalid frame
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold.
Policed discardsNumber of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually,

this field reports protocols that the JUNOS Software does not handle.
L3 incompletesNumber of incoming packets discarded because they
failed Layer 3 sanity checks of the headers. For example, a frame with
less than 20 bytes of available IP header is discarded.
L2 channel errorsNumber of times the software did not find a valid logical
interface for an incoming frame.
L2 mismatch timeoutsNumber of malformed or short packets that caused
the incoming packet handler to discard the frame as unreadable.
FIFO errorsNumber of FIFO errors in the receive direction that are
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.
444
Resource errorsSum of transmit drops.
show interfaces ge-
extensive

Field Name
Field Description
Level of Output
Output errors
Output errors on the interface. The following paragraphs explain the counters
extensive
Carrier transitionsNumber of times the interface has gone from down to

up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
ErrorsSum of the outgoing frame aborts and FCS errors.
DropsNumber of packets dropped by the output queue of the I/O


Aged packetsNumber of packets that remained in shared packet SDRAM
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
FIFO errorsNumber of FIFO errors in the send direction as reported by
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
HS link CRC errorsNumber of errors on the high-speed links between
the ASICs responsible for handling the router interfaces.
MTU errorsNumber of packets whose size exceeded the MTU of the
interface.
Egress queues
Total number of egress queues supported on the specified interface.
detail extensive
Queue counters
(Egress )
CoS queue number and its associated user-configured forwarding class name.
detail extensive
Queued packetsNumber of queued packets.
Transmitted packetsNumber of transmitted packets.
Dropped packetsNumber of packets dropped by the ASIC's RED
mechanism.
Active alarms and
Active defects
Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the switch configuration, an alarm can ring the red or yellow alarm
bell on the switch, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
NoneThere are no active defects or alarms.
LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
show interfaces ge-
445

Field Name
Field Description
Level of Output
MAC statistics
Receive and Transmit statistics reported by the PIC's MAC subsystem.
extensive
Total octets and total packetsTotal number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface

type.
Unicast packets, Broadcast packets, and Multicast packetsNumber of
unicast, broadcast, and multicast packets.
CRC/Align errorsTotal number of packets received that had a length
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
MAC control framesNumber of MAC control frames.
MAC pause framesNumber of MAC control frames with pause operational
code.
Oversized framesNumber of frames that exceed 1518 octets.
Jabber framesNumber of frames that were longer than 1518 octets
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
Fragment framesTotal number of packets that were less than 64 octets
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is

tagged or not.
NOTE: This counter is not supported on EX Series switches; the field value is
always displayed as 0.
Code violationsNumber of times an event caused the PHY to indicate
Data reception error or invalid data symbol error.

Filter Statistics
Receive and Transmit statistics reported by the PIC's MAC address filter
subsystem.
446
show interfaces ge-
extensive

Field Name
Field Description
Level of Output
Autonegotiation
information
Information about link autonegotiation.
extensive
Negotiation status:
IncompleteEthernet interface has the speed or link mode configured.
No autonegotiationRemote Ethernet interface has the speed or link
mode configured, or does not perform autonegotiation.
CompleteEthernet interface is connected to a device that performs
autonegotiation and the autonegotiation process is successful.
Link partner statusOK when Ethernet interface is connected to a device
that performs autonegotiation and the autonegotiation process is

successful.
Link partner:
Link modeDepending on the capability of the attached Ethernet

device, either Full-duplex or Half-duplex.
Flow controlTypes of flow control supported by the remote Ethernet

device. For Gigabit Ethernet interfaces, types are Symmetric (link
partner supports PAUSE on receive and transmit), Asymmetric (link
partner supports PAUSE on transmit), and Symmetric/Asymmetric (link
partner supports both PAUSE on receive and transmit or only PAUSE
receive).
Remote faultRemote fault information from the link partnerFailure

indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline
indicates that the link partner is going offline.
Link partner speedSpeed of the link partner.
Local resolutionInformation from the link partner:

receive).
Remote faultRemote fault information. Link OK (no error detected

on receive), Offline (local interface is offline), and Link Failure (link
error detected on receive).

Packet Forwarding
Engine
configuration
Information about the configuration of the Packet Forwarding Engine:
extensive
Destination slotFPC slot number.
Logical Interface
Logical interface
Name of the logical interface.
All levels
Index
Index number of the logical interface, which reflects its initialization sequence.
SNMP ifIndex
SNMP interface index number for the logical interface.
Generation
detail extensive
Flags
Information about the logical interface.
All levels
show interfaces ge-
447

Field Name
Field Description
Level of Output
Encapsulation
Encapsulation on the logical interface.
All levels
Protocol
Protocol family.
Traffic statistics
Number and rate of bytes and packets received (input) and transmitted (output)
on the specified interface.
detail extensive
IPv6 transit
statistics
If IPv6 statics tracking is enabled, number of IPv6 bytes and packets received
and transmitted on the logical interface.
extensive
Local statistics
Number and rate of bytes and packets destined to and from the switch.
extensive
Transit statistics
Number and rate of bytes and packets transiting the switch.
extensive
Generation
detail extensive
Route Table
Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.
Input Filters
Names of any input filters applied to this interface.
detail extensive
Output Filters
Names of any output filters applied to this interface.
detail extensive
Flags
Information about protocol family flags.
detail extensive
If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the

specified interface, the uRPF flag displays. If uRPF was configured on a different
interface (and therefore is enabled on all switch interfaces) but was not explicitly
configured on the specified interface, the uRPF flag does not display even
though uRPF is enabled.
protocol-family
Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.
brief
Flags
Information about address flag.
Destination
IP address of the remote side of the connection.
Local
IP address of the logical interface.
Broadcast
Broadcast address of the logical interlace.
Generation
detail extensive
show interfaces
ge-0/0/0
448
user@switch> show interfaces ge-0/0/0

Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled
Remote fault: Online
Device flags
: Present Running Down
show interfaces ge-
CoS queues
Hold-times
Current address: 00:19:e2:50:3f:41, Hardware address: 00:19:e2:50:3f:41
Last flapped
: 2008-01-16 11:40:53 UTC (4d 02:30 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Ingress rate at Packet Forwarding Engine
: 0 bps (0 pps)
Ingress drop rate at Packet Forwarding Engine : 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 22)
Flags: SNMP-Traps
Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch
Flags: None
show interfaces
ge-0/0/0 brief
user@switch> show interfaces ge-0/0/0 brief

Description: voice priority and tcp and icmp traffic rate-limiting filter at i
ngress port
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Device flags
: Present Running Down
Link flags
: None
Logical interface ge-0/0/0.0
Flags: Device-Down SNMP-Traps Encapsulation: ENET2
eth-switch
show interfaces
ge-0/0/0 detail
user@switch> show interfaces ge-0/0/0 detail

Physical interface: ge-0/0/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
Hold-times
Current address: 00:1f:12:30:ff:40, Hardware address: 00:1f:12:30:ff:40
Last flapped
: 2009-05-05 06:03:05 UTC (00:22:13 ago)
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Queue counters:
Dropped packets
show interfaces ge-
449
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont

Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 235)
Flags: SNMP-Traps Encapsulation: ENET2
Bandwidth: 0
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Protocol eth-switch, Generation: 146, Route table: 0
Flags: Is-Primary
Input Filters: f1,
Output Filters: f2,,,,
show interfaces
ge-0/0/4 extensive
450
(Generation 130)
0
0
0
0
bps
bps
pps
pps

Physical interface: ge-0/0/4, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
Current address: 00:1f:12:33:65:44, Hardware address: 00:1f:12:33:65:44
Last flapped
: 2008-09-17 11:02:25 UTC (16:32:54 ago)
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
2989761
984 bps
Input packets:
0
0 pps
Output packets:
24307
1 pps
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
show interfaces ge-

Output errors:
Queue counters:
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont
24307

MAC statistics:
Receive
Transmit
Total octets
0
2989761
Total packets
0
24307
Unicast packets
0
0
Broadcast packets
0
0
Multicast packets
0
24307
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
Code violations
0
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK,
Link partner Speed: 1000 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Destination slot: 0
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 best-effort
95
950000000
95
NA
low
none
7 network-control
5
50000000
5
NA
low
none
Traffic statistics:
Input bytes :
0
Output bytes :
4107883
Input packets:
0
Output packets:
24307
Input bytes :
0
Output bytes :
0
show interfaces ge-
451
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
4107883
Input packets:
0
Output packets:
24307
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Flags: None
Input Filters: f2,
452
show interfaces ge-
0
0
0
0
bps
bps
pps
pps
show interfaces xeSyntax
Release Information
Description
Options
show interfaces xe-fpc/pic/port

<descriptions>
<media>
<snmp-index snmp-index>
<statistics>

Display status information about the specified 10-Gigabit Ethernet interface.
xe-fpc/pic/port Display standard information about the specified 10-Gigabit Ethernet
interface.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index (Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Related Topics
view
Troubleshooting Network Interfaces on EX3200 and EX4200 Switches on page

404

Output Fields
show
show
show
show
show
interfaces
interfaces
interfaces
interfaces
interfaces
xe-0/1/0
xe-4/1/0
xe-0/1/0
xe-4/1/0
xe-4/1/0
on page 460
on page 460
brief on page 461
detail on page 461
Table 63 on page 454 lists the output fields for the show interfaces xe- command.
show interfaces xe-
453
Table 63: show interfaces xe- Output Fields

Field Name
Field Description
Level of Output
Physical interface
All levels
Enabled
State of the interface.
All levels
Interface index
Index number of the physical interface, which reflects its initialization sequence.
SNMP ifIndex
SNMP index number for the physical interface.
Generation
detail extensive
Link-level type
Encapsulation being used on the physical interface.
All levels
MTU
Maximum transmission unit size on the physical interface.
All levels
Speed
Speed at which the interface is running.
All levels
Loopback
Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback:

Local or Remote.
All levels
Source filtering
Source filtering status: Enabled or Disabled.
All levels
LAN-PHY mode
10-Gigabit Ethernet interface operating in Local Area Network Physical Layer

Device (LAN PHY) mode. LAN PHY allows 10-Gigabit Ethernet wide area links
to use existing Ethernet applications.
All levels
Unidirectional
Unidirectional link mode status for 10-Gigabit Ethernet interface: Enabled or

Disabled for parent interface; Rx-only or Tx-only for child interfaces.
All levels
Flow control
Flow control status: Enabled or Disabled.
All levels
Auto-negotiation
Autonegotiation status: Enabled or Disabled.
All levels
Remote-fault
Remote fault status:
All levels
Physical Interface
OnlineAutonegotiation is manually configured as online.
OfflineAutonegotiation is manually configured as offline.
Device flags
Information about the physical device.
All levels
Interface flags
All levels
Link flags
Information about the link.
All levels
Wavelength
Configured wavelength, in nanometers (nm).
All levels
Frequency
Frequency associated with the configured wavelength, in terahertz (THz).
All levels
CoS queues
Number of CoS queues configured.
Schedulers
Number of CoS schedulers configured.
extensive
Hold-times
Current interface hold-time up and hold-time down, in milliseconds.
detail extensive
454
show interfaces xe-
Table 63: show interfaces xe- Output Fields (continued)

Field Name
Field Description
Level of Output
Current address
Configured MAC address.
Hardware address
Hardware MAC address.
Last flapped
Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour: :minute:second:timezone ( hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).
Input Rate
Input rate in bits per second (bps) and packets per second (pps).
None specified
Output Rate
Output rate in bps and pps.
None specified
Statistics last
cleared
Time when the statistics for the interface were last set to zero.
detail extensive
Traffic statistics
Number and rate of bytes and packets received and transmitted on the physical
interface.
detail extensive
Input bytesNumber of bytes received on the interface.
Output bytesNumber of bytes transmitted on the interface.
Input packetsNumber of packets received on the interface
Output packetsNumber of packets transmitted on the interface.
NOTE: The bandwidth bps counter is not enabled on this platform.

Input errors
Input errors on the interface. The following paragraphs explain the counters
ErrorsSum of the incoming frame aborts and FCS errors.
DropsNumber of packets dropped by the input queue of the I/O Manager
extensive
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
Framing errorsNumber of packets received with an invalid frame
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold.
Policed discardsNumber of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually,

this field reports protocols that the JUNOS Software does not handle.
L3 incompletesNumber of incoming packets discarded because they
failed Layer 3 sanity checks of the header. For example, a frame with less
than 20 bytes of available IP header is discarded. L3 incomplete errors
can be ignored by if you configure the ignore-l3-incompletes statement.
L2 channel errorsNumber of times the software did not find a valid logical
interface for an incoming frame.
L2 mismatch timeoutsNumber of malformed or short packets that caused
the incoming packet handler to discard the frame as unreadable.
FIFO errorsNumber of FIFO errors in the receive direction that are
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.
show interfaces xe-
455

Field Name
Field Description
Level of Output
Output errors
Output errors on the interface. The following paragraphs explain the counters
extensive
Carrier transitionsNumber of times the interface has gone from down to

up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
ErrorsSum of the outgoing frame aborts and FCS errors.
DropsNumber of packets dropped by the output queue of the I/O


Aged packetsNumber of packets that remained in shared packet SDRAM
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
FIFO errorsNumber of FIFO errors in the send direction as reported by
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
HS link CRC errorsNumber of errors on the high-speed links between
the ASICs responsible for handling the router interfaces.
MTU errorsNumber of packets whose size exceeded the MTU of the
interface.
Egress queues
Total number of egress queues supported on the specified interface.
detail extensive
Queue counters
(Egress)
detail extensive
mechanism.
Ingress queues
Total number of ingress queues supported on the specified interface.
extensive
Queue counters
(Ingress)
extensive
mechanism.
456
show interfaces xe-

Field Name
Field Description
Level of Output
Active alarms and

Active defects
Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the router configuration, an alarm can ring the red or yellow alarm
bell on the router, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
NoneThere are no active defects or alarms.
LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
PCS statistics
Physical Coding Sublayer (PCS) fault conditions from the LAN PHY device.
detail extensive
MAC statistics
Receive and Transmit statistics reported by the PIC's MAC subsystem.
extensive
Total octets and total packetsTotal number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface

type.
Unicast packets, Broadcast packets, and Multicast packetsNumber of
unicast, broadcast, and multicast packets.
CRC/Align errorsTotal number of packets received that had a length
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
MAC control framesNumber of MAC control frames.
MAC pause framesNumber of MAC control frames with pause operational
code.
Oversized framesNumber of frames that exceed 1518 octets.
Jabber framesNumber of frames that were longer than 1518 octets
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
Fragment framesTotal number of packets that were less than 64 octets
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is

tagged or not. This counter is not supported on EX Series switches and is
always displayed as 0.
Code violationsNumber of times an event caused the PHY to indicate
Data reception error or invalid data symbol error.

Filter statistics
Receive and Transmit statistics reported by the PIC's MAC address filter
extensive
subsystem.
show interfaces xe-
457

Field Name
Field Description
Level of Output
Autonegotiation
information
Information about link autonegotiation.
extensive
Negotiation status:
IncompleteEthernet interface has the speed or link mode configured.
No autonegotiationRemote Ethernet interface has the speed or link
mode configured, or does not perform autonegotiation.
CompleteEthernet interface is connected to a device that performs
autonegotiation and the autonegotiation process is successful.
Link partner statusOK when Ethernet interface is connected to a device
that performs autonegotiation and the autonegotiation process is

successful.
Link partner:
Link modeDepending on the capability of the attached Ethernet

device, either Full-duplex or Half-duplex.

device. For Fast Ethernet interfaces, the type is None. For Gigabit
Ethernet interfaces, types are Symmetric (link partner supports PAUSE
on receive and transmit), Asymmetric (link partner supports PAUSE
on transmit), and Symmetric/Asymmetric (link partner supports both
PAUSE on receive and transmit or only PAUSE receive).
Remote faultRemote fault information from the link partnerFailure

indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline
indicates that the link partner is going offline.
Local resolutionInformation from the link partner:

receive).
Remote faultRemote fault information. Link OK (no error detected

on receive), Offline (local interface is offline), and Link Failure (link
error detected on receive).
458
show interfaces xe-

Field Name
Field Description
Level of Output
Packet Forwarding
Engine
configuration
Information about the configuration of the Packet Forwarding Engine:
extensive
Destination slotFPC slot number.
CoS transmit queueQueue number and its associated user-configured
forwarding class name.
Bandwidth %Percentage of bandwidth allocated to the queue.
Bandwidth bpsBandwidth allocated to the queue (in bps).
Buffer %Percentage of buffer space allocated to the queue.
Buffer usecAmount of buffer space allocated to the queue, in
microseconds. This value is nonzero only if the buffer size is configured

in terms of time.
PriorityQueue priority: low or high.
LimitDisplayed if rate limiting is configured for the queue. Possible values

are none and exact. If exact is configured, the queue transmits only up to
the configured bandwidth, even if excess bandwidth is available. If none
is configured, the queue transmits beyond the configured bandwidth if

bandwidth is available.
Logical Interface
Logical interface
Name of the logical interface.
All levels
Index
Index number of the logical interface, which reflects its initialization sequence.
SNMP ifIndex
SNMP interface index number for the logical interface.
Generation
detail extensive
Flags
Information about the logical interface.
All levels
Encapsulation
Encapsulation on the logical interface.
All levels
Protocol
Protocol family.
Traffic statistics
Number and rate of bytes and packets received (input) and transmitted (output)
detail extensive
IPv6 transit
statistics
If IPv6 statics tracking is enabled, number of IPv6 bytes and packets received
and transmitted on the logical interface.
extensive
Local statistics
Number and rate of bytes and packets destined to and from the switch.
extensive
Transit statistics
Number and rate of bytes and packets transiting the switch.
extensive
Generation
detail extensive
Route Table
Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.
Input Filters
Names of any input filters applied to this interface.
detail extensive
show interfaces xe-
459

Field Name
Field Description
Level of Output
Output Filters
Names of any output filters applied to this interface.
detail extensive
Flags
Information about protocol family flags.
detail extensive
If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the

specified interface, the uRPF flag displays. If uRPF was configured on a different
interface (and therefore is enabled on all switch interfaces) but was not explicitly
configured on the specified interface, the uRPF flag does not display even
though uRPF is enabled.
Addresses, Flags
Information about the address flags.
protocol-family
Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.
brief
Flags
Information about address flag.
Destination
IP address of the remote side of the connection.
Local
IP address of the logical interface.
Broadcast
Broadcast address of the logical interlace.
Generation
detail extensive
460
show interfaces
xe-0/1/0
user@switch> show interfaces xe-0/1/0

Physical interface: xe-0/1/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags
: Present Running
Link flags
: None
CoS queues
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Last flapped
: 2008-02-25 05:28:08 UTC (00:12:49 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70)
Input packets : 0
Output packets: 0
Protocol eth-switch
Flags: None
show interfaces
xe-4/1/0
user@switch show interfaces xe-4/1/0

Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, Duplex: Full-Duplex,
show interfaces xe-

Device flags
: Present Running
Link flags
: None
CoS queues
Current address: 00:23:9c:03:8e:70, Hardware address: 00:23:9c:03:8e:70
Last flapped
: 2009-05-12 08:01:04 UTC (00:13:44 ago)
Input rate
: 36432 bps (3 pps)
Output rate
: 0 bps (0 pps)
Input packets : 0
Output packets: 0
Protocol eth-switch
Flags: None
show interfaces
xe-0/1/0 brief
user@switch> show interfaces xe-0/1/0 brief

Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Device flags
: Present Running
Link flags
: None
Logical interface xe-0/1/0.0
eth-switch
show interfaces
xe-4/1/0 detail
user@switch> show interfaces xe-4/1/0 detail

Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
Last flapped
: 2009-05-12 08:01:04 UTC (00:13:49 ago)
Traffic statistics:
Input bytes :
4945644
48576 bps
Output bytes :
0
0 bps
Input packets:
3258
4 pps
Output packets:
0
0 pps
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Queue counters:
Dropped packets
0 best-effort
1 assured-forw
show interfaces xe-
461
5 expedited-fo
7 network-cont

Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Flags: None
Input Filters: f1,
show interfaces
xe-4/1/0 extensive
462
(Generation 158)
0
0
0
0
bps
bps
pps
pps
user@switch> show interfaces xe-4/1/0 extensive

Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
Last flapped
: 2009-05-12 08:01:04 UTC (00:14:01 ago)
Traffic statistics:
Input bytes :
5015472
36432 bps
Output bytes :
0
0 bps
Input packets:
3304
3 pps
Output packets:
0
0 pps
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Input errors:
Output errors:
show interfaces xe-

Queue counters:
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont

MAC statistics:
Receive
Total octets
5015472
Total packets
3304
Unicast packets
3304
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
Code violations
0
Destination slot: 4
Direction : Output
CoS transmit queue
Bandwidth
Limit
%
bps
0 best-effort
95
9500000000
none
7 network-control
5
500000000
none
Transmit
0
0
0
0
0
0
0
0
0
Buffer Priority
%
95
usec
NA
low
NA
low

Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Flags: None
Input Filters: f1,
(Generation 158)
0
0
0
0
bps
bps
pps
pps
show interfaces xe-
463
464
show interfaces xe-
Part 8
Layer 2 Bridging, VLANs, and Spanning

Trees
Understanding Layer 2 Bridging, VLANs, and GVRP on page 467
Examples of Configuring Layer 2 Bridging, VLANs, and GVRP on page 483
Configuring Layer 2 Bridging, VLANs, and GVRP on page 543
Verifying Layer 2 Bridging, VLANs, and GVRP on page 559
Troubleshooting Layer 2 Bridging, VLANs, and GVRP on page 569
Understanding Spanning Trees on page 571
Examples of Configuring Spanning Trees on page 579
Configuring Spanning Trees on page 635
Verifying Spanning Trees on page 641
Configuration Statements for Bridging, VLANs, and Spanning Trees on page 643
Operational Mode Commands for Bridging, VLANs, and Spanning

Trees on page 717
465
466
Chapter 28
Understanding Layer 2 Bridging, VLANs,

and GVRP
Understanding Virtual Routing Instances on EX Series Switches on page 476
Understanding Private VLANs on EX Series Switches on page 480
Understanding Bridging and VLANs on EX Series Switches

Network switches use Layer 2 bridging protocols to discover the topology of their
LAN and to forward traffic toward destinations on the LAN.
This topic explains the following concepts regarding bridging and VLANs on Juniper
Networks EX Series Ethernet Switches:
Ethernet LANs, Transparent Bridging, and VLANs on page 467
How Bridging Works on page 468
Types of Switch Ports on page 470
IEEE 802.1Q Encapsulation and Tags on page 470
Assignment of Traffic to VLANs on page 470
Ethernet Switching Tables on page 471
Layer 2 and Layer 3 Forwarding of VLAN Traffic on page 471
GVRP on page 471
Routed VLAN Interface on page 472
Ethernet LANs, Transparent Bridging, and VLANs

Ethernet is a data link layer technology, as defined by Layer 2 of the Open Systems
Interconnection (OSI) model of communications protocols. Ethernet was first
standardized by the IEEE in 1982, in IEEE 802.3. Ethernet is used to create LANs.
467
The network devices, called nodes, on the LAN transmit data in bundles that are
generally called frames or packets.
Each node on a LAN has a unique identifier so that it can be unambiguously located
on the network. Ethernet uses the Layer 2 media access control (MAC) address for
this purpose. MAC addresses are hardware addresses that are programmed (burned)
into the Ethernet processor in the node.
A characteristic of Ethernet is that nodes on a LAN can transmit data frames at any
time. However, the physical connecting cable between the nodeseither coaxial,
copper-based (Category 5), or optical cablecan carry only a single stream of data
at a time. One result of this design is that when two nodes transmit at the same time,
their frames can collide on the cable and generate an error. Ethernet uses a protocol
called carrier-sense multiple access with collision detection (CSMA/CD) to detect
frame collisions. If a node receives a collision error message, it stops transmitting
immediately and waits for a period of time before trying to send the frame again. If
the node continues to detect collisions, it progressively increases the time between
retransmissions in an attempt to find a time when no other data is being transmitted
on the LAN. The node uses a backoff algorithm to calculate the increasing
retransmission time intervals.
Ethernet LANs were originally implemented for small, simple networks that carried
primarily text. Over time, LANs have become larger and more complex; the type of
data they carry has grown to include voice, graphics, and video; and the increased
speed of Ethernet interfaces on LANs has resulted in exponential increases in traffic
on the network.
The IEEE 802.1D-2004 standard addresses some of the problems caused by the
increase in LAN and complexity. This standard defines transparent bridging (generally
called simply bridging). Bridging divides a single physical LAN (a single broadcast
domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network
nodes that are grouped together to form separate broadcast domains. On an Ethernet
network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On
VLANs, frames whose origin and destination are in the same VLAN are forwarded
only within the local VLAN. Frames that are not destined for the local VLAN are the
only ones forwarded to other broadcast domains. VLANs thus limit the amount of
traffic flowing across the entire LAN, reducing the possible number of collisions and
packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same
network. On VLANs, the physical location of the nodes is not important, so you can
group network devices in any way that makes sense for your organization, such as
by department or business function, types of network nodes, or even physical location.
Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q
encapsulation (discussed below).
How Bridging Works

The transparent bridging protocol allows a switch to learn information about all the
nodes on the LAN, including nodes on all the different VLANs. The switch uses this
information to create address-lookup tables, called Ethernet switching tables that it
consults when forwarding traffic to or toward a destination on the LAN.
468
Chapter 28: Understanding Layer 2 Bridging, VLANs, and GVRP
Transparent bridging uses five mechanisms to create and maintain Ethernet switching
tables on the switch:
Learning
Forwarding
Flooding
Filtering
Aging
The first bridging mechanism is learning. When a switch is first connected to an

Ethernet LAN or VLAN, it has no information about other nodes on the network. The
switch goes through a learning process to obtain the MAC addresses of all the nodes
on the network. It stores these in the Ethernet switching table. To learn MAC
addresses, the switch reads all packets that it detects on the LAN or on the local
VLAN, looking for MAC addresses of sending nodes. It places these addresses into
its Ethernet switching table, along with two other pieces of informationthe interface
(or port) on which the traffic was received and the time when the address was learned.
The second bridging mechanism is forwarding. Switches forward traffic, passing it
from an incoming interface to an outgoing interface that leads to or toward the
destination. To forward frames, the switch consults the Ethernet switching table to
see whether the table contains the MAC address corresponding to the frames'
destination. If the Ethernet switching table contains an entry for the desired
destination address, the switch sends the traffic out the interface associated with the
MAC address. The switch also consults the Ethernet switching table in the same way
when transmitting frames that originate on devices connected directly to the switch.
If the Ethernet switching table does not contain an entry for the desired destination
address, the switch uses flooding, which is the third bridging mechanism.
Flooding is how the switch learns about destinations not in its Ethernet switching
table. If this table has no entry for a particular destination MAC address, the switch
floods the traffic out all interfaces except the interface on which it was received. (If
traffic originates on the switch, the switch floods it out all interfaces.) When the
destination node receives the flooded traffic, it sends an acknowledgment packet
back to the switch, allowing it to learn the MAC address of the node and to add the
address to its Ethernet switching table.
Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the
local VLAN whenever possible. As the number of entries in the Ethernet switching
table grows, the switch pieces together an increasingly complete picture of the VLAN
and the larger LANof which nodes are in the local VLAN and which are on other
network segments. The switch uses this information to filter traffic. Specifically, for
traffic whose source and destination MAC addresses are in the local VLAN, filtering
prevents the switch from forwarding this traffic to other network segments.
Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in
the Ethernet switching table current. For each MAC address in the Ethernet switching
table, the switch records a timestamp of when the information about the network
node was learned. Each time the switch detects traffic from a MAC address, it updates
the timestamp. A timer on the switch periodically checks the timestamp, and if it is
older than a user-configured value, the switch removes the node's MAC address from
469
the Ethernet switching table. This aging process ensures that the switch tracks only
active nodes on the network and that it is able to flush out network nodes that are
no longer available.
Types of Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode.
An interface in access mode connects to a network device, such as a desktop
computer, an IP telephone, a printer, a file server, or a security camera. The interface
itself belongs to a single VLAN. The frames transmitted over an access interface are
normal Ethernet frames. By default, when you boot a switch and use the
factory-default configuration, or when you boot the switch and do not explicitly
configure a port mode, all interfaces on the switch are in access mode.
Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all
those VLANs over the same physical connection. Trunk interfaces are generally used
to interconnect switches to one another.
IEEE 802.1Q Encapsulation and Tags

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are
identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged
and are encapsulated with 802.1Q tags.
For a simple network that has only a single VLAN, all traffic has the same 802.1Q
tag.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique
802.1Q tag. The tag is applied to all frames so that the network nodes receiving the
frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic
among a number of VLANs, use the tag to determine to origin of frames and where
to forward them.
Juniper Networks EX3200 Ethernet Switches support a maximum of 4096 VLANs.
VLANs 0 and 4095 are reserved by the Juniper Networks JUNOS Software, so you
cannot use them in your network.
Assignment of Traffic to VLANs

You assign traffic to a particular VLAN in one of the following ways:
470
By interface (port) on the switch. You specify that all traffic received on a
particular interface on the switch is assigned to a specific VLAN. If you use the
default factory switch settings, all traffic received on an access interface is
untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q
tag. When configuring the switch, you specify which VLAN to assign the traffic
to. You configure the VLAN either by using a VLAN number (called a VLAN ID)
or by using a name, which the switch translates into a numeric VLAN ID.
By MAC address. You can specify that all traffic received from a specific MAC
address be forwarded to a specific egress interface (next hop) on the switch. This
method is administratively cumbersome to configure manually, but it can be
useful when you are using automated databases to manage the switches on your
network.
NOTE: If a Juniper Networks EX4200 Ethernet Switch is interconnected with other

switches in a Virtual Chassis configuration, each individual switch that is included as
a member of the configuration is identified with a member ID. The member ID
functions as an FPC slot number. When you are configuring interfaces for a Virtual
Chassis configuration, you specify the appropriate member ID (0 through 9) as the
slot element of the interface name.
The default factory settings for a Virtual Chassis configuration include FPC 0 as a
member of the default VLAN because FPC 0 is configured as part of the
ethernet-switching family. In order to include FPC 1 through FPC 9 in the default
VLAN, add the ethernet-switching family to the configurations for those interfaces.
Ethernet Switching Tables

As EX Series switches learn the MAC addresses of the devices on local VLANs, they
store them in the bridge on the switch. With each MAC address, the Ethernet switching
table stores and associates the name of the interface (or port) on which the switch
learned that address. The switch uses the information in this table when forwarding
packets toward their destination.
Layer 2 and Layer 3 Forwarding of VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including
IEEE 802.1Q, Spanning Tree Protocol (STP), and GARP VLAN Registration Protocol
(GVRP).
To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols,
such as static routing, OSPF, and RIP. On EX Series switches, the same interfaces
that support Layer 2 bridging protocols also support Layer 3 routing protocols,
providing multilayer switching.
GVRP
The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic
Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard.
GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.
The VLAN registration information sent by GVRP includes the current VLANs
membershipthat is, which switches are members of which VLANsand which
switch ports are in which VLAN. GVRP shares all VLAN information configured
manually on a local switch.
As part of ensuring that VLAN membership information is current, GVRP removes
switches and ports from the VLAN information when they become unavailable.
Pruning VLAN information:
471
Limits the network VLAN configuration to active participants only, reducing

network overhead.
Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to
interested devices only.
Routed VLAN Interface

In a traditional network, broadcast domains consist of either physical interfaces
connected to a single switch or logical interfaces connected to one or more switches
through VLAN configurations. Switches send traffic to hosts that are part of the same
broadcast domain, but routers are needed to route traffic from one broadcast domain
to another and to perform other Layer 3 functions such as traffic engineering. EX
Series switches use a routed VLAN interface (RVI) to perform these routing functions,
using it to route data to other Layer 3 interfaces. This functionality eliminates the
need for having both a switch and a router.
The RVI must be configured as part of a broadcast domain or virtual private LAN
service (VPLS) routing instance in order for Layer 3 traffic to be routed out of it. The
RVI supports IPv4, IPv6, MPLS, and IS-IS traffic. At least one Layer 2 logical interface
must be operationally up in order for the RVI to be operationally up. You must
configure an RVI broadcast domain or VPLS routing instance just as you would
configure a VLAN on a switch. Multicast data, broadcast data, or unicast data is
switched between ports within the same RVI broadcast domain or VPLS routing
instance. The RVI routes data that is destined for the switchs media access control
(MAC) address.
To learn more about configuring routing protocols and policies, see the JUNOS Software
Routing Protocols Configuration Guide at
Related Topics
472
483

page 490
Understanding Redundant Trunk Links on EX Series Switches

In a typical enterprise network comprised of distribution and access layers, a
redundant trunk link provides a simple solution for network recovery when a trunk
port goes down. Traffic is routed to another trunk port, keeping network convergence
time to a minimum. You can configure a maximum of 16 redundant trunk groups
on a standalone switch or on a Virtual Chassis.
To configure a redundant trunk link, create a redundant trunk group. The redundant
trunk group is configured on the access switch, and contains two links: a primary or
active link, and a secondary link. If the active link fails, the secondary link
automatically starts forwarding data traffic without waiting for normal STP
convergence.
Data traffic is forwarded only on the active link. Data Traffic on the secondary link
is dropped and shown as dropped packets when you issue the operational mode
command show interfaces xeinterface-name extensive.
While data traffic is blocked on the secondary link, Layer 2 control traffic is still
permitted. For example, an LLDP session can be run between two Juniper Networks
EX Series Ethernet Switches on the secondary link.
STP is enabled by default on EX Series switches to create a loop-free topology. When
trunk links are placed in a redundant group, they cannot be part of an STP topology.
The Juniper Networks JUNOS Software for EX Series switches does not allow an
interface to be in a redundant trunk group and in an STP topology at the same time.
However, STP can continue operating in other parts of the network. For example,
STP may continue operating between the distribution switches and linking them to
the enterprise core.
Figure 27 on page 474 shows three switches in a basic topology for redundant trunk
links. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up
the access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Link 1 and Link 2 are in a redundant
trunk group called group1. Link 1 is designated as the primary link. Traffic flows
between Switch 3 in the access layer and Switch 1 in the distribution layer through
Link 1. While Link 1 is active, Link 2 blocks traffic.
473
Figure 27: Redundant Trunk Group, Link 1 Active
Figure 28 on page 475 illustrates how the redundant trunk link topology works when
the primary link goes down.
474
Figure 28: Redundant Trunk Group, Link 2 Active
Link 1 is down between Switch 3 and Switch 1. Link 2 takes over as the active link.
Traffic between the access layer and the distribution layer is automatically switched
to Link 2 between Switch 1 and Switch 2.
Related Topics
Example: Configuring Redundant Trunk Links for Faster Recovery on page 523
redundant-trunk-group
Understanding Storm Control on EX Series Switches

A traffic storm is generated when messages are broadcast on a network and each
message prompts a receiving node to respond by broadcasting its own messages on
the network. This, in turn, prompts further responses, creating a snowball effect.
The LAN is suddenly flooded with packets, creating unnecessary traffic that leads to
poor network performance or even a complete loss of network service. Storm control
enables the switch to monitor traffic levels and drop broadcast and unknown unicast
packets when a specified traffic levelcalled the storm control levelis exceeded,
thus preventing packets from proliferating and degrading the LAN. Alternatively, you
can configure the switch to shut down interfaces (see action-shutdown or temporarily
disable interfaces (see port-error-disable) when the storm control level is exceeded.
By default, storm control is enabled on all switch interfaces at a level of 50 percent
of the combined broadcast and unknown unicast streams. You can change the storm
control level either by configuring it as a bandwidth value for the combined broadcast
and unknown unicast traffic streams or by configuring it as a percentage of the
combined broadcast and unknown unicast streams.
Understanding Storm Control on EX Series Switches
475
NOTE: The level configuration statement, which allows you to configure the storm
control level as a percentage of the combined broadcast and unknown unicast
streams, has been deprecated and might be removed from future product releases.
We strongly recommend that you phase out its use and replace it with the bandwidth
statement, which allows you to configure the storm control level as a bandwidth
value for the combined broadcast and unknown unicast traffic streams.
Broadcast, multicast, and unicast packets are part of normal LAN operation, so to
recognize a storm, you must be able to identify when traffic has reached a level that
is abnormal for your LAN. Suspect a storm when operations begin timing out and
network response times slow down. As more packets flood the LAN, network users
might be unable to access servers or e-mail.
Monitor the percentage of broadcast and unknown unicast traffic in the LAN when
it is operating normally. This data can then be used as a benchmark to determine
when traffic levels are too high. You can then configure storm control to set the level
at which you want to drop broadcast and unknown unicast traffic.
Related Topics
Example: Configuring Storm Control to Prevent Network Outages on EX Series


Interfaces (CLI Procedure) on page 558
Understanding Virtual Routing Instances on EX Series Switches

Virtual routing instances allow administrators to divide a Juniper Networks EX Series
Ethernet Switch into multiple independent virtual routers, each with its own routing
table. Splitting a device into many virtual routing instances isolates traffic traveling
across the network without requiring multiple devices to segment the network.
You can use virtual routing instances to isolate customer traffic on your network and
to bind customer-specific instances to customer-owned interfaces.
EX Series switches support up to 256 virtual routing instances. Virtual routing and
forwarding (VRF) is often used in conjunction with Layer 3 subinterfaces, allowing
traffic on a single physical interface to be differentiated and associated with multiple
virtual routers. Each logical Layer 3 subinterface can belong to only one routing
instance.
Related Topics
476
Example: Using Virtual Routing Instances to Route Among VLANs on EX Series

Configuring Virtual Routing Instances (CLI Procedure) on page 552
Understanding Virtual Routing Instances on EX Series Switches
Understanding Q-in-Q Tunneling on EX Series Switches

Q-in-Q tunneling allows service providers on Ethernet access networks to extend a
Layer 2 Ethernet connection between two customer sites. Using Q-in-Q tunneling,
providers can also segregate or bundle customer traffic into fewer VLANs or different
VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when
customers have overlapping VLAN IDs, because the customers 802.1Q (dot1Q) VLAN
tags are prepended by the service VLAN (S-VLAN) tag. The Juniper Networks JUNOS
Software implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.
How Q-in-Q Tunneling Works on page 477
Disabling MAC Address Learning on page 478
Mapping C-VLANs to S-VLANs on page 478
All-in-One Bundling on page 478
Many-to-One Bundling on page 479
Mapping a Specific Interface on page 479
Routed VLAN Interfaces on Q-in-Q VLANs on page 479
Limitations for Q-in-Q Tunneling on page 479
How Q-in-Q Tunneling Works

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service
provider's VLAN, a customer-specific 802.1Q tag is added to the packet. This
additional tag is used to segregate traffic into service-provider-defined service VLANs
(S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted
transparently, passing through the service provider's network. As the packet leaves
the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.
When Q-in-Q tunneling is enabled on Juniper Networks EX Series Ethernet Switches,
trunk interfaces are assumed to be part of the service provider network and access
interfaces are assumed to be customer facing. An access interface can receive both
tagged and untagged frames in this case.
An interface can be a member of multiple S-VLANs. You can map one C-VLAN to
one S-VLAN (1:1) or multiple C-VLANs to one S-VLAN (N:1). Packets are double-tagged
for an additional layer of segregating or bundling of C-VLANs. C-VLAN and S-VLAN
tags are unique; so you can have both a C-VLAN 101 and an S-VLAN 101, for example.
You can limit the set of accepted customer tags to a range of tags or to discrete
values. Class-of-service (CoS) values of C-VLANs are unchanged in the downstream
direction. You may, optionally, copy ingress priority and CoS settings to the S-VLAN.
Using private VLANs, you can isolate users to prevent the forwarding of traffic between
user interfaces even if the interfaces are on the same VLAN.
You can use the native option to specify an S-VLAN for untagged and priority tagged
packets when using many-to-one bundling and mapping a specific interface
approaches to map C-VLANs to S-VLANs. Otherwise the packets are discarded. The
native option is not available for all-in-one bundling because there is no need to
477
specify untagged and priority tagged packets when all packets are mapped to the
C-VLAN. See the Mapping C-VLANs to S-VLANs section of this document for
information on the methods of mapping C-VLANs to S-VLANs.
Firewall filters allow you to map an interface to a VLAN based on a policy. Using
firewall filters to map an interface to a VLAN is useful when you want a subset of
traffic from a port to be mapped to a selected VLAN instead of the designated VLAN.
To configure a firewall filter to map an interface to a VLAN, the vlan option has to be
configured as part of the firewall filter and the mapping policy option must be specified
in the interface configuration for each logical interface using the filter.
Disabling MAC Address Learning

In a Q-in-Q deployment, customer packets from downstream interfaces are
transported without any changes to source and destination MAC addresses. You can
disable MAC address learning at both the interface level and the VLAN level. Disabling
MAC address learning on an interface disables learning for all the VLANs of which
that interface is a member. When you disable MAC address learning on a VLAN, MAC
addresses that have already been learned are flushed.
If you disable MAC address learning on an interface or a VLAN, you cannot include
MAC move limiting or 802.1X authentication in that same VLAN configuration.
When a routed VLAN interface (RVI) is associated with either an interface or a VLAN
on which MAC address learning is disabled, the Layer 3 routes resolved on that VLAN
or that interface are not resolved with the Layer 2 component. This results in routed
packets flooding all the interfaces associated with the VLAN.
Mapping C-VLANs to S-VLANs

There are three ways to map C-VLANs to an S-VLAN:
All-in-one bundlingUse the dot1q-tunneling option to map without specifying

customer VLANs. All packets from all access interfaces are mapped to the S-VLAN.
Many-to-one bundlingUse the customer-vlans option to specify which C-VLANs

are mapped to the S-VLAN.
Mapping a specific interfaceUse the mapping option to indicate a specific

S-VLAN for a given C-VLAN. The specified C-VLAN applies to only one VLAN and
not all access interfaces as in the cases of all-in-one and many-to-one bundling.
If you configure multiple methods, the switch gives priority to mapping a specific
interface, then to many-to-one bundling, and last to all-in-one bundling. However,
you cannot have overlapping rules for the same C-VLAN under a given approach.
All-in-One Bundling
All-in-one bundling maps all packets from all access interfaces to the S-VLAN.
All-in-one bundling is configured using the dot1q-tunneling option without specifying
customer VLANs.
478
When all-in-one bundling is used, all packets leaving the C-VLAN, including untagged
and priority tagged packets, enter the S-VLAN.
Many-to-One Bundling
Many-to-one bundling is used to specify which C-VLANs are mapped to an S-VLAN.
Many-to-one bundling is configured using the customer-vlans option.
Many-to-one bundling is used when you want a subset of the C-VLANs on the access
switch to be part of the S-VLAN. When using many-to-one bundling, untagged and
priority tagged packets can be mapped to the S-VLAN when the native option is
specified along with the customer-vlans option.
Mapping a Specific Interface

Use the mapping a specific interface approach when you want to assign an S-VLAN
to a specific C-VLAN on an interface. The mapping a specific interface configuration
only applies to the configured interface, not to all access interfaces as in the cases
of the all-in-one bundling and many-to-one bundling approaches. The mapping a
specific interface approach is configured using the mapping option to indicate a
specific S-VLAN for a given C-VLAN.
It might be useful to have S-VLANs that provide service to multiple customers. Each
customer will typically have its own S-VLAN plus access to one or more S-VLANs that
are used by multiple customers. A specific tag on the customer side is mapped to an
S-VLAN. Typically, this functionality is used to keep data from different customers
separate or to provide individualized treatment of the packets on a certain interface.
Routed VLAN Interfaces on Q-in-Q VLANs

Routed VLAN interfaces (RVIs) are supported on Q-in-Q VLANs.
Packets arriving on an RVI that is using Q-in-Q VLANs will get routed regardless of
whether the packet is single or double tagged. The outgoing routed packets contain
an S-VLAN tag only when exiting a trunk interface; the packets exit the interface
untagged when exiting an access interface.
Limitations for Q-in-Q Tunneling

Q-in-Q tunneling does not support most access port security features. There is no
per-VLAN (customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q
tunneling unless you configure these security features using firewall filters.
Related Topics
Configuring Q-in-Q Tunneling (CLI Procedure) on page 551
479
Understanding Unknown Unicast Forwarding on EX Series Switches

Unknown unicast traffic consists of unicast packets with unknown destination MAC
addresses. By default, the switch floods these unicast packets that are traveling in a
VLAN to all interfaces that are members of the VLAN. Forwarding this type of traffic
to interfaces on the switch can trigger a security issue. The LAN is suddenly flooded
with packets, creating unnecessary traffic that leads to poor network performance
or even a complete loss of network service. This is known as a traffic storm.
To prevent a storm, you can disable the flooding of unknown unicast packets to all
interfaces by configuring one VLAN or all VLANs to forward and unknown unicast
traffic to a specific trunk interface. This channels the unknown unicast traffic to a
single interface.
Related Topics

Configuring Unknown Unicast Forwarding (CLI Procedure) on page 555
Understanding Private VLANs on EX Series Switches

The private VLAN (PVLAN) feature on Juniper Networks EX Series Ethernet Switches
allows an administrator to split a broadcast domain into multiple isolated broadcast
subdomains, essentially putting a VLAN inside a VLAN. Just like regular VLANs,
PVLANs are isolated on Layer 2 and require that a Layer 3 device be used to route
traffic among them. Private VLANs are useful for restricting the flow of broadcast
and unknown unicast traffic and for limiting the communication between known
hosts.
In a private VLAN, one VLAN is designated the primary VLAN, and other VLANs are
nested inside that VLAN as secondary VLANs.
PrimaryA VLAN used to forward frames downstream to isolated and community

VLANs.
IsolatedA secondary VLAN that receives packets only from the primary VLAN
and forwards frames upstream to the primary VLAN.
CommunityA secondary VLAN that transports frames among community

interfaces within the same community and forwards frames upstream to the
primary VLAN.
Private VLANs provide IP address conservation and efficient allocation of those IP

addresses. In a typical network, VLANs usually correspond to a single IP subnet. In
private VLANs, the hosts in all the secondary VLANs still belong to the same IP subnet
as the subnet allocated to the primary VLAN. Hosts within the secondary VLAN are
numbered out of IP subnets associated with the primary VLAN, and their IP subnet
masking information reflects that of the primary VLAN subnet. Any primary routed
VLAN interfaces (RVIs) perform functions similar to proxy ARP to enable
communication between hosts that are members of a different secondary VLAN.
480
Understanding Unknown Unicast Forwarding on EX Series Switches
NOTE: If you enable no-mac-learning on a primary VLAN, all isolated VLANs in that
private VLAN inherit that setting. If you want to disable MAC address learning on
any community VLANs, you must configure no-mac-learning on each of those VLANs.
Related Topics
Example: Configuring a Private VLAN on an EX Series Switch on page 533
481
482
Chapter 29
Examples of Configuring Layer 2 Bridging,

VLANs, and GVRP
Example: Setting Up Basic Bridging and a VLAN for an EX Series

Switch on page 483
Example: Setting Up Bridging with Multiple VLANs for EX Series



Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch

EX Series switches use bridging and virtual LANs (VLANs) to connect network devices
in a LANdesktop computers, IP telephones, printers, file servers, wireless access
points, and othersand to segment the LAN into smaller bridging domains. The
switch's default configuration provides a quick setup of bridging and a single VLAN.
This example describes how to configure basic bridging and VLANs for an EX Series
switch:
Requirements
Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch
483
One EX4200 Virtual Chassis switch
Before you set up bridging and a VLAN, be sure you have:
Installed your EX Series switch. See Installing and Connecting an EX3200 or

EX4200 Switch.
Performed the initial switch configuration. See Connecting and Configuring an

EX Series Switch (J-Web Procedure) on page 81.

EX Series switches connect network devices in an office LAN or a data center LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points. Without
bridging and VLANs, all devices on the Ethernet LAN are in a single broadcast domain,
and all the devices detect all the packets on the LAN. Bridging creates separate
broadcast domains on the LAN, creating VLANs, which are independent logical
networks that group together related devices into separate network segments. The
grouping of devices on a VLAN is independent of where the devices are physically
located in the LAN.
To use an EX Series switch to connect network devices on a LAN, you must, at a
minimum, configure bridging and VLANs. If you simply power on the switch and
perform the initial switch configuration using the factory-default settings, bridging
is enabled on all the switch's interfaces, all interfaces are in access mode, and all
interfaces belong to a VLAN called default, which is automatically configured. When
you plug access devicessuch as desktop computers, Avaya IP telephones, file
servers, printers, and wireless access pointsinto the switch, they are joined
immediately into the default VLAN and the LAN is up and running.
The topology used in this example consists of one EX4200-24T switch, which has a
total of 24 ports. Eight of the ports support Power over Ethernet (PoE), which means
they provide both network connectivity and electric power for the device connecting
to the port. To these ports, you can plug in devices requiring PoE, such as Avaya
VoIP telephones, wireless access points, and some IP cameras. (Avaya phones have
a built-in hub that allows you to connect a desktop PC to the phone, so the desktop
and phone in a single office require only one port on the switch.) The remaining 16
ports provide only network connectivity. You use them to connect devices that have
their own power sources, such as desktop and laptop computers, printers, and servers.
Table 64: Components of the Basic Bridging Configuration Topology
Property
Settings
Switch hardware
EX4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE

ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports
(ge-0/0/8 through ge-0/0/23)
VLAN name
default
484
Chapter 29: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP
Table 64: Components of the Basic Bridging Configuration Topology (continued)

Connection to wireless access point (requires PoE)
ge-0/0/0
Connections to Avaya IP telephonewith integrated hub, to

connect phone and desktop PC to a single port (requires PoE)
ge-0/0/1 through ge-0/0/7
Direct connections to desktop PCs (no PoE required)
Connections to file servers (no PoE required)
ge-0/0/17 and ge-0/0/18
Connections to integrated printer/fax/copier machines (no PoE

required)
Unused ports (for future expansion)
ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through

ge-0/0/23
Configuration
By default, after you perform the initial configuration on the EX4200 switch, switching
is enabled on all interfaces, a VLAN named default is created, and all interfaces are
placed into this VLAN. You do not need to perform any other configuration on the
switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP
phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs,
file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and
ge-0/0/17 through ge-0/0/20.
To configure bridging and VLANs:
Results
1.
Make sure the switch is powered on.
2.
Connect the wireless access point to switch port ge-0/0/0.
3.
Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
4.
Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.
5.
Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.
6.
Connect the two printers to ports ge-0/0/19 and ge-0/0/20.

[edit]
user@switch> show configuration
## Last commit: 2008-03-06 00:11:22 UTC by triumph
version 9.0;
system {
root-authentication {
encrypted-password "$1$urmA7AFM$x5SaGEUOdSI3u1K/iITGh1"; ##
SECRET-DATA
}
syslog {
user * {
any emergency;
Configuration
485
}
file messages {
any notice;
authorization info;
}
}
}
commit {
factory-settings {
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
ge-0/0/4 {
unit 0 {
}
}
ge-0/0/5 {
unit 0 {
}
}
ge-0/0/6 {
unit 0 {
}
}
ge-0/0/7 {
unit 0 {
}
486
Configuration
}
ge-0/0/8 {
unit 0 {
}
}
ge-0/0/9 {
unit 0 {
}
}
ge-0/0/10 {
unit 0 {
}
}
ge-0/0/11 {
unit 0 {
}
}
ge-0/0/12 {
unit 0 {
}
}
ge-0/0/13 {
unit 0 {
}
}
ge-0/0/14 {
unit 0 {
}
}
ge-0/0/15 {
unit 0 {
}
}
ge-0/0/16 {
unit 0 {
}
}
ge-0/0/17 {
unit 0 {
}
}
ge-0/0/18 {
unit 0 {
}
}
Configuration
487
ge-0/0/19 {
unit 0 {
}
}
ge-0/0/20 {
unit 0 {
}
}
ge-0/0/21 {
unit 0 {
}
}
ge-0/0/22 {
unit 0 {
}
}
ge-0/0/23 {
unit 0 {
}
}
ge-0/1/0 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
}
}
ge-0/1/1 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
unit 0 {
}
}
}
488
Configuration
protocols {
lldp {
interface all;
}
rstp;
}
poe {
interface all;
}
Verification
To verify that switching is operational and that a VLAN has been created, perform
these tasks:
Verifying That the VLAN Has Been Created on page 489
Verifying That Interfaces Are Associated with the Proper VLANs on page 489
Verifying That the VLAN Has Been Created

Purpose
Action
Verify that the VLAN named default has been created on the switch.
List all VLANs configured on the switch:
user@switch>
Name
default
show vlans
Tag
Interfaces
ge-0/0/0.0*,
ge-0/0/4.0,
ge-0/0/8.0*,
ge-0/0/12.0,
ge-0/0/16.0,
ge-0/0/20.0,
ge-0/1/0.0*,
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,

ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0*,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0*,
ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0,
ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
mgmt
me0.0*
Meaning
The show vlans command lists the VLANs configured on the switch. This output shows
that the VLAN default has been created.
Verifying That Interfaces Are Associated with the Proper VLANs

Purpose
Action
Verify that Ethernet switching is enabled on switch interfaces and that all interfaces
are included in the VLAN.
List all interfaces on which switching is enabled:
user@switch>
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0

State
up
down
down
VLAN members
default
default
default
Blocking
unblocked
blocked - blocked by STP/RTG
blocked - blocked by STP/RTG
Verification
489
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/9.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0
ge-0/0/16.0
ge-0/0/17.0
ge-0/0/18.0
ge-0/0/19.0
ge-0/0/20.0
ge-0/0/21.0
ge-0/0/22.0
ge-0/0/23.0
ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
me0.0
Meaning
Related Topics
down
down
down
down
down
up
down
down
up
down
down
down
down
down
down
down
up
down
down
down
down
up
up
up
up
up
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
mgmt
blocked blocked blocked blocked blocked unblocked

blocked blocked unblocked
blocked blocked blocked blocked blocked blocked blocked unblocked
blocked blocked blocked blocked unblocked
unblocked
unblocked
unblocked
unblocked
blocked
blocked
blocked
blocked
blocked
by
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
blocked by STP/RTG
blocked by STP/RTG
blocked
blocked
blocked
blocked
blocked
blocked
blocked
by
by
by
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
blocked
blocked
blocked
blocked
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
The show ethernet-switching interfaces command lists all interfaces on which switching
is enabled (in the Interfaces column), along with the VLANs that are active on the
interfaces (in the VLAN members column). The output in this example shows all the
connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20
and that they are all part of VLAN default. Notice that the interfaces listed are the
logical interfaces, not the physical interfaces. For example, the output shows
ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS Software creates VLANs on
logical interfaces, not directly on physical interfaces.

page 490
Example: Setting Up Bridging with Multiple VLANs for EX Series Switches

To segment traffic on a LAN into separate broadcast domains, you create separate
virtual LANs (VLANs) on an EX Series switch. Each VLAN is a collection of network
nodes. When you use VLANs, frames whose origin and destination are in the same
VLAN are forwarded only within the local VLAN, and only frames not destined for
the local VLAN are forwarded to other broadcast domains. VLANs thus limit the
amount of traffic flowing across the entire LAN, reducing the possible number of
collisions and packet retransmissions within the LAN.
490
Example: Setting Up Bridging with Multiple VLANs for EX Series Switches
This example describes how to configure bridging for an EX Series switch and how
to create two VLANs to segment the LAN:
Requirements
One EX4200-48P Virtual Chassis switch
Before you set up bridging and VLANs, be sure you have:
Installed the EX Series switch. See Installing and Connecting an EX3200 or

EX4200 Switch.


EX Series switches connect all devices in an office or data center into a single LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points. The
default configuration creates a single VLAN, and all traffic on the switch is part of
that broadcast domain. Creating separate network segments reduces the span of the
broadcast domain and allows you to group related users and network resources
without being limited by physical cabling or by the location of a network device in
the building or on the LAN.
This example shows a simple configuration to illustrate the basic steps for creating
two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing
group, and a second, called support, is for the customer support team. The sales and
support groups each have their own dedicated file servers, printers, and wireless
access points. For the switch ports to be segmented across the two VLANs, each
VLAN must have its own broadcast domain, identified by a unique name and tag
(VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.
The topology for this example consists of one EX4200-48P switch, which has a total
of 48 Gigabit Ethernet ports, all of which support Power over Ethernet (PoE). Most
of the switch ports connect to Avaya IP telephones. The remainder of the ports
connect to wireless access points, file servers, and printers.
Table 65: Components of the Multiple VLAN Topology
Property
Settings
Requirements
491
Table 65: Components of the Multiple VLAN Topology (continued)

Switch hardware
EX4200-48P, 48 Gigabit Ethernet ports, all PoE-enabled

(ge-0/0/0 through ge-0/0/47)
sales, tag 100

support, tag 200
VLAN subnets
sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

support: 192.0.2.128/25 (addresses 192.0.2.129 through
192.0.2.254)
Interfaces in VLAN sales
Avaya IP telephones: ge-0/0/3 through ge-0/0/19

Wireless access points: ge-0/0/0 and ge-0/0/1
Printers: ge-0/0/22 and ge-0/0/23
File servers: ge-0/0/20 and ge-0/0/21
Interfaces in VLAN support

Wireless access points: ge-0/0/24
Unused interfaces
ge-0/0/2 and ge-0/0/25
This configuration example creates two IP subnets, one for the sales VLAN and the
second for the support VLAN. The switch bridges traffic within a VLAN. For traffic
passing between two VLANs, the switch routes the traffic using a Layer 3 routing
interface on which you have configured the address of the IP subnet.
To keep the example simple, the configuration steps show only a few devices in each
of the VLANs. Use the same configuration procedure to add more LAN devices.
Configuration
Configure Layer 2 switching for two VLANs:
To quickly configure Layer 2 switching for the two VLANs (sales and support) and to
quickly configure Layer 3 routing of traffic between the two VLANs, copy the following
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
492
Configuration
ge-0/0/0 unit 0 description Sales wireless access point port

ge-0/0/0 unit 0 family ethernet-switching vlan members sales
ge-0/0/3 unit 0 description Sales phone port
ge-0/0/22 unit 0 description Sales printer port
ge-0/0/20 unit 0 description Sales file server port
ge-0/0/24 unit 0 description Support wireless access point port
ge-0/0/24 unit 0 family ethernet-switching vlan members support
ge-0/0/26 unit 0 description Support phone port
ge-0/0/44 unit 0 description Support printer port
set
set
set
set
set
set
set
set
interfaces ge-0/0/46 unit 0 description Support file server port

interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support
interfaces vlan unit 0 family inet address 192.0.2.0/25
vlans sales l3interface vlan.0
vlans sales vlan-id 100
vlans support vlan-id 200
vlans support l3-interface vlan.1
Configure the switch interfaces and the VLANs to which they belong. By default, all
interfaces are in access mode, so you do not have to configure the port mode.
1.
Configure the interface for the wireless access point in the sales VLAN:
[edit interfaces ge-0/0/0 unit 0]
user@switch# set description Sales wireless access point port
user@switch# set family ethernet-switching vlan members sales
2.
Configure the interface for the Avaya IP phone in the sales VLAN:
user@switch# set description Sales phone port
3.
Configure the interface for the printer in the sales VLAN:

user@switch# set description Sales printer port
4.
Configure the interface for the file server in the sales VLAN:
user@switch# set description Sales file server port
5.
Configure the interface for the wireless access point in the support VLAN:
user@switch# set description Support wireless access point port
user@switch# set family ethernet-switching vlan members support
6.
Configure the interface for the Avaya IP phone in the support VLAN:
user@switch# set description Support phone port
7.
Configure the interface for the printer in the support VLAN:

user@switch# set description Support printer port
Configuration
493
Configure the interface for the file server in the support VLAN:
8.

user@switch# set description Support file server port
Create the subnet for the sales broadcast domain:
9.
[edit interfaces]
user@switch# set vlan unit 0 family inet address 192.0.2.1/25
10.
Create the subnet for the support broadcast domain:

[edit interfaces]
user@switch# set vlan unit 1 family inet address 192.0.2.129/25
11.
Configure the VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@switch# set sales vlan-id 100
user@switch# set support vlan-id 200
12.
To route traffic between the sales and support VLANs, define the interfaces that
are members of each VLAN and associate a Layer 3 interface:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1

interfaces {
ge-0/0/0 {
unit 0 {
description Sales wireless access point port;
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description Sales phone port;
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description Sales printer port;
494
Configuration
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description Sales file server port;
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description Support wireless access point port;
vlan members support;
}
}
}
ge-0/0/26 {
unit 0 {
description Support phone port;
}
}
}
ge-0/0/44 {
unit 0 {
description Support printer port;
}
}
}
ge-0/0/46 {
unit 0 {
description Support file server port;
}
}
vlans {
unit 0 {
family inet address 192.0.2.0/25;
}
unit 1 {
}
}
}
}
vlans {
sales {
Configuration
495
vlan-id 100;
interface ge-0/0/0.0:
interface ge-0/0/3/0;
interface ge-0/0/20.0;
l3-interface vlan 0;
}
support {
vlan-id 200;
interface ge-0/0/24.0:
l3-interface vlan 1;
}
}
TIP: To quickly configure the sales and support VLAN interfaces, issue the load merge
terminal command, then copy the hierarchy and paste it into the switch terminal
window.
Verification
Verify that the sales and support VLANs have been created and are operating
properly, perform these tasks:
Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces on page 496
Verifying That Traffic Is Being Routed Between the Two VLANs on page 497
Verifying That Traffic Is Being Switched Between the Two VLANs on page 497
Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces
Purpose
Action
Verify that the VLANs sales and support have been created on the switch and that
all connected interfaces on the switch are members of the correct VLAN.
Use the operational mode commands:
user@switch>
Name
default
show vlans
Tag
Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0,
ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*,
ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*,
ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0,
496
Verification
ge-0/0/34.0,
ge-0/0/38.0,
ge-0/0/42.0,
ge-0/1/0.0*,
sales
ge-0/0/35.0,
ge-0/0/39.0,
ge-0/0/43.0,
ge-0/1/1.0*,
ge-0/0/36.0,
ge-0/0/40.0,
ge-0/0/45.0,
ge-0/1/2.0*,
ge-0/0/37.0,
ge-0/0/41.0,
ge-0/0/47.0,
ge-0/1/3.0*
100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0
support
200
ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*
mgmt
me0.0*
Meaning
The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. This command output shows that the sales and support
VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with
interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has
a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0,
ge-0/0/44.0, and ge-0/0/46.0.
Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose
Action
Verify routing between the two VLANs.

List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:
user@switch> show arp
MAC Address
Address
00:00:0c:06:2c:0d
00:13:e2:50:62:e0
Meaning
Name
192.0.2.3
192.0.2.11
Flags
vlan.0
vlan.1
None
None
Sending IP packets on a multiaccess network requires mapping from an IP address

to a MAC address (the physical or hardware address). The ARP table displays the
mapping between the IP address and MAC address for both vlan.0 (associated with
sales) and vlan.1 (associated with support). These VLANs can route traffic to each
other.
Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose
Action
Verify that learned entries are being added to the Ethernet switching table.
List the contents of the Ethernet switching table:
user@switch> show ethernet-switching table
Ethernet-switching table: 8 entries, 5 learned
VLAN
MAC address
Type
default
*
Flood
default
00:00:05:00:00:01 Learn
default
00:00:5e:00:01:09 Learn
default
00:19:e2:50:63:e0 Learn
sales
*
Flood
sales
00:00:5e:00:07:09 Learn
Age
-
Interfaces
All-members
ge-0/0/10.0
ge-0/0/13.0
ge-0/0/23.0
All-members
ge-0/0/0.0
Verifying That Traffic Is Being Routed Between the Two VLANs
497
support
support
Meaning
Related Topics
*
Flood
00:00:5e:00:01:01 Learn
Allmembers
ge-0/0/46.0
The output shows that learned entries for the sales and support VLANs have been
added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0
and ge-0/0/46.0. Even though the VLANs were associated with more than one
interface in the configuration, these interfaces are the only ones that are currently
operating.
483
Example: Connecting an Access Switch to a Distribution Switch

In large local area networks (LANs), you commonly need to aggregate traffic from a
number of access switches into a distribution switch.
This example describes how to connect an access switch to a distribution switch:
Configuring the Access Switch on page 500
Configuring the Distribution Switch on page 505
Requirements
For the distribution switch, one EX4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.
For the access switch, one EX3200-24P, which has twenty-four 1-Gigabit Ethernet
ports, all of which support Power over Ethernet (PoE), and an uplink module
with four 1-Gigabit Ethernet ports.
Before you connect an access switch to a distribution switch, be sure you have:
498
Installed the two switches. See Installing and Connecting an EX3200 or EX4200
Switch.
Example: Connecting an Access Switch to a Distribution Switch
Performed the initial software configuration on both switches. See Connecting

and Configuring an EX Series Switch (J-Web Procedure) on page 81.

In a large office that is spread across several floors or buildings, or in a data center,
you commonly aggregate traffic from a number of access switches into a distribution
switch. This configuration example shows a simple topology to illustrate how to
connect a single access switch to a distribution switch.
In the topology, the LAN is segmented into two VLANs, one for the sales department
and the second for the support team. One 1-Gigabit Ethernet port on the access
switch's uplink module connects to the distribution switch, to one 1-Gigabit Ethernet
port on the distribution switch.
Figure 29 on page 499 shows one EX4200 switch that is connected to the three access
switches.
Figure 29: Topology for Configuration
Table 66 on page 499 explains the components of the example topology. The example
shows how to configure one of the three access switches. The other access switches
could be configured in the same manner.
Table 66: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property
Settings
Access switch hardware
EX3200-24P, 24 1-Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through

ge-0/0/23); one 4-port 1Gigabit Ethernet uplink module (EX-UM-4SFP)
499
Table 66: Components of the Topology for Connecting an Access Switch to a Distribution Switch (continued)
Distribution switch hardware
EX4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23);

one 2port 10Gigabit Ethernet XFP uplink module (EX-UM-4SFP)
sales, tag 100

support, tag 200
VLAN subnets

support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)
Trunk port interfaces
On the access switch: ge-0/1/0

On the distribution switch: ge-0/0/0
Access port interfaces in VLAN sales (on

access switch)

Wireless access points: ge-0/0/0 and ge-0/0/1
Access port interfaces in VLAN support (on

access switch)

Wireless access points: ge-0/0/24
Unused interfaces on access switch
ge-0/0/2 and ge-0/0/25
Configuring the Access Switch

To configure the access switch:
To quickly configure the access switch, copy the following commands and paste
them into the switch terminal window:
[edit]
set interfaces ge-0/0/0 unit 0 description Sales Wireless access point port
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/3 unit 0 description Sales phone port
set interfaces ge-0/0/22 unit 0 description Sales printer port
set interfaces ge-0/0/20 unit 0 description Sales file server port
set interfaces ge-0/0/24 unit 0 description Support wireless access point port
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/26 unit 0 description Support phone port
set interfaces ge-0/0/44 unit 0 description Support printer port
set interfaces ge-0/0/46 unit 0 description Support file server port
set interfaces ge-0/1/0 unit 0 description Uplink module port connection to
distribution switch
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id 1
set interfaces ge-0/1/0 unit 0 family ethernet switching vlan members [sales
support]
set interfaces vlan unit 0 family inet address 192.0.2.1/25
500
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

vlans sales interface ge-0/0/0.0
vlans sales l3-interface vlan.0
vlans sales vlan-description Sales VLAN
vlans support interface ge-0/0/24.0
vlans support l3interface vlan.1
vlans support vlan-description Support VLAN
To configure the access switch:

1.
Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk
port that connects to the distribution switch:
user@access-switch# set description Uplink module port connection to
distribution switch
user@access-switch# set ethernet-switching port-mode trunk
2.
Specify the VLANs to be aggregated on the trunk port:

user@access-switch# set ethernet-switching vlan members [ sales support
]
3.
Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
user@access-switch# set ethernet-switching native-vlan-id 1
4.
Configure the sales VLAN:

[edit vlans sales]
user@access-switch# set vlan-description Sales VLAN
user@access-switch# set vlan-id 100
user@access-switch# set l3-interface vlan.0
5.
Configure the support VLAN:

[edit vlans support]
user@access-switch# set vlan-description Support VLAN
user@access-switch# set vlan-id 200
user@access-switch# set l3-interface vlan.1
6.
501
[edit interfaces]
user@access-switch# set vlan unit 0 family inet address 192.0.2.1/25
7.

[edit interfaces]
user@access-switch# set vlan unit 1 family inet address 192.0.2.129/25
8.
Configure the interfaces in the sales VLAN:

[edit interfaces]
user@access-switch#
point port
user@access-switch#
members sales
user@access-switch#
user@access-switch#
members sales
user@access-switch#
port
user@accessswitch#
members sales
user@access-switch#
user@access-switch#
members sales
9.
502
set ge-0/0/3 unit 0 description Sales phone port

set ge-0/0/3 unit 0 family ethernet-switching vlan
set ge-0/0/20 unit 0 description Sales file server
set ge-0/0/22 unit 0 description Sales printer port
set ge-0/0/24 unit 0 description Support wireless

set ge-0/0/26 unit 0 description Support phone port
set ge-0/0/44 unit 0 description Support printer
set ge-0/0/46 unit 0 description Support file server
Configure descriptions and VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@access-switch#
user@access-switch#
user@access-switch#
user@access-switch#
11.
Configure the interfaces in the support VLAN:

[edit interfaces]
user@access-switch#
access point port
user@access-switch#
members support
user@access-switch#
user@access-switch#
members support
user@access-switch#
port
user@access-switch#
members support
user@access-switch#
port
user@access-switch#
members support
10.
set ge-0/0/0 unit 0 description Sales wireless access
set
set
set
set
sales vlan-description Sales VLAN

sales vlan-id 100
support vlan-description Support VLAN
support vlan-id 200
To route traffic between the sales and support VLANs and associate a Layer 3
interface with each VLAN:
[edit vlans]
user@access-switch# set sales l3-interface vlan.0
user@access-switch# set support l3-interface vlan.1
Results

user@access-switch> show
interfaces {
ge-0/0/0 {
unit 0 {
description Sales wireless access point port;
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description Sales phone port;
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description Sales file server port;
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description Sales printer port;
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description Support wireless access point port;
}
}
}
ge-0/0/26 {
unit 0 {
description Support phone port;
503
}
}
}
ge-0/0/44 {
unit 0 {
description Support printer port;
vlan members sales;
}
}
}
ge-0/0/46 {
unit 0 {
description Support file server port;
}
}
}
ge-0/1/0 {
unit 0 {
description Uplink module port connection to distribution switch;
port-mode trunk;
vlan members [ sales support ];
native-vlan-id 1;
}
}
}
vlan {
unit 0 {
}
unit 1 {
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description Sales VLAN;
l3-interface vlan.0;
}
support {
vlan-id 200;
vlan-description Support VLAN;
}
}
TIP: To quickly configure the distribution switch, issue the load merge terminal
command, then copy the hierarchy and paste it into the switch terminal window.
504
Configuring the Distribution Switch

To configure the distribution switch:
To quickly configure the distribution switch, copy the following commands and paste
set
set
set
set
set
set
set
set
set
set
set
set
interfaces ge-0/0/0 description Connection to access switch

interfaces ge-0/0/0 ethernet-switching port-mode trunk
interfaces ge-0/0/0 ethernet-switching vlan members [ sales support ]
interfaces ge-0/0/0 ethernet-switching native-vlan-id 1
vlans sales vlan-description Sales VLAN
vlans sales l3-interface vlan.0
vlans support vlan-description Support VLAN
vlans support l3-interface vlan.1
To configure the distribution switch:

1.
Configure the interface on the switch to be the trunk port that connects to the
access switch:
user@distribution-switch# set description Connection to access switch
user@distribution-switch# set ethernet-switching port-mode trunk
2.
Specify the VLANs to be aggregated on the trunk port:

user@distribution-switch# set ethernet-switching vlan members [ sales
support ]
3.
Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
[edit interfaces]
user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id
4.

[edit vlans sales]
user@distribution-switch# set vlan-description Sales VLAN
user@distribution-switch# set vlan-id 100
user@distribution-switch# set l3-interface vlan.0
5.
Configure the support VLAN:

[edit vlans support]
user@distribution-switch# set vlan-description Support VLAN
user@distribution-switch# set vlan-id 200
505
user@distribution-switch# set l3-interface vlan.1
6.

[edit interfaces]
user@distribution-switch# set vlan unit 0 family inet address 192.0.2.2/25
7.

[edit interfaces]
user@distribution-switch# set vlan unit 1 family inet address
192.0.2.130/25
Results

user@distribution-switch> show
interfaces {
ge-0/0/0 {
description Connection to access switch;
unit 0 {
port-mode trunk;
vlan members [ sales support ];
native-vlan-id 1;
}
}
}
vlan {
unit 0 {
}
unit 1 {
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description Sales VLAN;
}
support {
vlan-id 200;
vlan-description Support VLAN;
}
}
506
TIP: To quickly configure the distribution switch, issue the load merge terminal
command, then copy the hierarchy and paste it into the switch terminal window.
Verification
Verifying the VLAN Members and Interfaces on the Access Switch on page 507
Verifying the VLAN Members and Interfaces on the Distribution Switch on page 507
Verifying the VLAN Members and Interfaces on the Access Switch

Purpose
Action
Verify that the sales and support have been created on the switch.
user@switch>
Name
default
show vlans
Tag
Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0*, ge-0/0/9.0,
ge-0/0/10.0,
ge-0/0/14.0,
ge-0/0/18.0,
ge-0/0/25.0,
ge-0/0/30.0,
ge-0/0/34.0,
ge-0/0/38.0,
ge-0/0/42.0,
ge-0/1/1.0*,
sales
ge-0/0/11.0*, ge-0/0/12.0, ge-0/0/13.0,

ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/19.0*,ge-0/0/21.0, ge-0/0/23.0,
ge-0/0/27.0*,ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/31.0*,ge-0/0/32.0, ge-0/0/33.0,
ge-0/0/35.0*,ge-0/0/36.0, ge-0/0/37.0,
ge-0/0/39.0*,ge-0/0/40.0, ge-0/0/41.0,
ge-0/0/43.0*,ge-0/0/45.0, ge-0/0/47.0,
ge-0/1/2.0*, ge-0/1/3.0*
100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0,
ge-0/1/0.0*,
support
200
ge-0/0/24.0*, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0,
mgmt
me0.0*
Meaning
The output shows the sales and support VLANs and the interfaces associated with
them.
Verifying the VLAN Members and Interfaces on the Distribution Switch

Purpose
Action
Verify that the sales and support have been created on the switch.
Verification
507
user@switch>
Name
default
show vlans
Tag
Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0*, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0*, ge-0/0/23.0, ge-0/1/1.0*,
ge-0/1/2.0*, ge-0/1/3.0*
sales
100
ge-0/0/0.0*
support
200
ge-0/0/0.0*
mgmt
me0.0*
Meaning
Related Topics
The output shows the sales and support VLANs associated to interface ge-0/0/0.0.
Interface ge-0/0/0.0 is the trunk interface connected to the access switch.
483

page 490
Example: Configure Automatic VLAN Administration Using GVRP

As a network expands and the number of clients and VLANs increases, VLAN
administration becomes complex, and the task of efficiently configuring VLANs on
multiple EX Series switches becomes increasingly difficult. To automate VLAN
administration, you can enable GARP VLAN Registration Protocol (GVRP) on the
network.
NOTE: Only trunk interfaces can be enabled for GVRP.

This example describes how to use GVRP to automate administration of VLAN
membership changes within your network:
508
Configuring VLANs and GVRP on Access Switch A on page 511
Configuring VLANs and GVRP on Access Switch B on page 514
Example: Configure Automatic VLAN Administration Using GVRP
Configuring VLANS and GVRP on the Distribution Switch on page 518
Requirements
Two EX3200 access switches
One EX4200 distribution switch
Before you configure GVRP on the access switches and on the distribution switch,
be sure you have:
Performed the initial software configuration on the switches. See Connecting

and Configuring an EX Series Switch (J-Web Procedure) on page 81.
Configured the VLANs on both the access switches and on the distribution switch.
(Dynamic VLAN configuration is not supported.)
Configured a trunk interface on all the switches.

When you are setting up your network, you should configure all VLANs on all switches,
even though some switches are not actively participating in a VLAN. Then enable
GVRP on the trunk interface of each switch. GVRP ensures that the VLAN membership
information on the trunk interface is updated as the switchs access interfaces become
active or inactive in the configured VLANs.
You do not need to take an extra step of explicitly binding a VLAN to the trunk
interface. When GVRP is enabled, the trunk interface advertises all the VLANs that
are active (bound to access interfaces) on that switch. A GVRP-enabled trunk interface
does not advertise VLANs that have been configured on the switch but that are not
currently bound to an access interface. Thus, GVRP provides the benefit of reducing
network overheadby limiting the scope of broadcast, unknown unicast, and
multicast (BUM) traffic to interested devices only.
This example shows a network with three VLANs: finance, sales, and lab.
Access Switch A has been configured to support all three VLANS and all three VLANS
are active, bound to interfaces that are connected to personal computers:
ge-0/0/1 Connects PC1 as member of finance vlan, VLAN ID 100
ge-0/0/2 Connects PC2 as member of lab vlan, VLAN ID 200
ge-0/0/3 Connects PC3 as member of sales vlan, VLAN ID 300
Access Switch B has also been configured to support three VLANS. However, currently
only two VLANs are active, bound to interfaces that are connected to personal
computers:
Requirements
509
ge-0/0/0 Connects PC4 as member of finance vlan, VLAN ID 100
ge-0/0/1 Connects PC5 as member of lab vlan, VLAN ID 200
The Distribution Switch is also configured to support the three VLANs (finance, lab,
sales). However, the Distribution Switch does not have any access interfaces that are
connecting devices as members of these VLANs. The Distribution Switch has two
trunk interfaces:
xe-0/1/1 Connects Distribution Switch to Access Switch A.
xe-0/1/0 Connects Distribution Switch to Access Switch B.
Figure 30 on page 510 shows GVRP configured on two access switches and one
Figure 30: GVRP Configured on Two Access Switches and One Distribution Switch
for Automatic VLAN Administration
Table 67: Components of the Network Topology

Property
Settings
Switch hardware
Access Switch AEX3200 switch
Access Switch BEX3200 access switch
Distribution SwitchEX4200 switch
510
Table 67: Components of the Network Topology (continued)

finance, tag 100

lab, tag 200
sales, tag 300
Interfaces
Access Switch A Interfaces
ge-0/0/1 Connects PC1 to Access Switch A.
xe-0/1/1 Connects Access Switch A to Distribution
Switch. (trunk)
Access Switch B Interfaces
ge-0/0/0 Connects PC4 to Access Switch B.
ge-0/0/1 Connects PC5 to Access Switch B.
xe-0/1/0 Connects Access Switch B to Distribution
Switch. (trunk)
Distribution Switch Interfaces
xe-0/1/1 Connects Distribution Switch to Access Switch
A. (trunk)
xe-0/1/0 Connects Distribution Switch to Access Switch
B. (trunk)
When VLAN access interfaces become active or inactive, GVRP ensures that the
updated information is advertised on the trunk interface. Thus, the Distribution
Switch does not forward traffic to inactive VLANs.
Configuring VLANs and GVRP on Access Switch A

To configure three VLANs on the switch, bind access interfaces for PC1, PC2, and
PC3 to the VLANs (finance, lab, sales), and enable GVRP on the trunk interface of
Access Switch A, perform these tasks:
To quickly configure Access Switch A to support the three VLANs, bind interfaces for
the three PCs to the appropriate VLANs, and enable GVRP on the trunk interface,
copy the following commands and paste them into the switch terminal window of
Switch A:
[edit]
set vlans finance vlan-id 100
set vlans lab vlan-id 200
set vlans sales vlan-id 300
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces xe-0/1/1 unit 0 family ethernet-switching
set protocols gvrp interface xe-0/1/1.0
vlan members finance

vlan members lab
vlan members sales
port-mode trunk
511
NOTE: As we recommend, default GVRP timers are used in this example. The default
values associated with each GVRP timer are: 200 ms for the join-timer, 600 ms for
the leave-timer, and 1000 cs (10000 ms) for the leaveall-timer. Modifying timers to
inappropriate values may cause an imbalance in the operation of GVRP. Refer to
IEEE 802.1D [2004] Clause 12 for more information. The timer values are displayed
when you use the show gvrp command to verify that GVRP is enabled. For more
information on the timers, see gvrp and its associated configuration statements.
To configure Access Switch A to support the three VLANs, bind interfaces for the
three PCs to the appropriate VLANs, and enable GVRP on the trunk interface, copy
the following commands and paste them into the switch terminal window of Switch A:
1.
Configure the finance VLAN:

[edit]
user@Access-Switch-A# set vlans finance vlan-id 100
2.
Configure the lab VLAN:

[edit]
user@Access-Switch-A# set vlans lab vlanid 200
3.

[edit]
user@Access-Switch-A# set vlans sales vlanid 300
4.
Configure an Ethernet interface as a member of the finance VLAN:

[edit]
user@Access-Switch-A# set interfaces ge-0/0/1 unit 0 family
ethernet-switching vlan members finance
5.
Configure an Ethernet interface as a member of the lab VLAN:

[edit]
ethernet-switching vlan members lab
6.
Configure an Ethernet interface as a member of the sales VLAN:

[edit]
ethernet-switching vlan members sales
7.
512
Configure a trunk interface:
user@Access-Switch-A# set interfaces xe-0/1/1 unit 0 family

8.
Enable GVRP on the trunk interface:

[edit]
user@Access-Switch-A# set protocols gvrp interface xe-0/1/1.0
Results

interfaces {
ge-0/0/0 {
unit 0 {
}
}
ge-0/0/1 {
unit 0 {
vlan {
members finance;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
members lab;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members sales;
}
}
}
}
xe-0/1/1 {
unit 0 {
port-mode trunk;
}
}
}
ge-0/1/2 {
unit 0 {
513
}
}
ge-0/1/3 {
unit 0 {
}
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
interface all;
}
lldp-med {
interface all;
}
gvrp {
interface xe-0/1/1.0;
}
rstp;
}
storm-control {
interface all {
level 50;
}
}
}
vlans {
finance {
vlan-id 100;
}
lab {
vlan-id 200;
}
sales {
vlan-id 300;
}
Configuring VLANs and GVRP on Access Switch B

To configure three VLANs on the switch, bind access interfaces for PC4 and PC5 to
the VLANs (finance and lab), and enable GVRP on the trunk interface of Access Switch
Switch B, perform these tasks:
To quickly configure Access Switch B to support the three VLANs, bind interfaces for
the two PCs to the appropriate VLANs, and enable GVRP on the trunk interface, copy
the following commands and paste them into the switch terminal window of Switch
B:
[edit]
514
set
set
set
set
set
set
set
vlans finance vlan-id 100

vlans lab vlan-id 200
interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members finance
interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lab
interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk
protocols gvrp interface xe-0/1/0.0
To configure Access Switch B to support the three VLANs, bind interfaces for the two
PCs to the appropriate VLAN, and enable GVRP on the trunk interface, copy the
following commands and paste them into the switch terminal window of Switch B:
1.

[edit]
user@Access-Switch-B# set vlans finance vlan-id 100
2.

[edit]
user@Access-Switch-B# set vlans lab vlanid 200
3.

[edit]
user@Access-Switch-B# set vlans sales vlanid 300
4.
Configure an Ethernet interface as a member of the finance VLAN:

[edit]
user@Access-Switch-B# set interfaces ge-0/0/0 unit 0 family
ethernet-switching vlan members finance
5.
Configure an Ethernet interface as a member of the lab VLAN:

[edit]
user@Access-Switch-B# set interfaces ge-0/0/1 unit 0 family
ethernet-switching vlan members lab
6.
Configure a trunk interface:

user@Access-Switch-B# set interfaces xe-0/1/0 unit 0 family
7.
Enable GVRP on the trunk interface:

[edit]
user@Access-Switch-B# set protocols gvrp xe-0/1/0.0
515
NOTE: As we recommend, default GVRP timers are used in this example. The default
values associated with each GVRP timer are: 200 ms for the join-timer, 600 ms for
the leave-timer, and 1000 cs (10000 ms) for the leaveall-timer. Modifying timers to
inappropriate values may cause an imbalance in the operation of GVRP. Refer to
IEEE 802.1D [2004] Clause 12 for more information. The timer values are displayed
when you use the show gvrp command to verify that GVRP is enabled. For more
information on the timers, see gvrp and its associated configuration statements.
Results

[edit]
user@Access-Switch-B #show
interfaces {
ge-0/0/0 {
unit 0 {
vlan {
members finance;
}
}
}
}
ge-0/0/1 {
unit 0 {
vlan {
members lab;
}
}
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
ge-0/1/0 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
port-mode trunk;
}
516
}
}
ge-0/1/1 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
unit 0 {
}
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
interface all;
}
lldp-med {
interface all;
}
gvrp {
}
rstp;
}
storm-control {
interface all {
level 50;
}
}
}
vlans {
finance {
vlan-id 100;
}
lab {
vlan-id 200;
}
sales {
vlan-id 300;
}
}
517
Configuring VLANS and GVRP on the Distribution Switch

To quickly configure the finance, lab, and sales VLANs on the Distribution Switch
and to enable GVRP on the trunk interface of the Distribution Switch, copy the
following commands and paste them into the switch terminal window of the
Distribution Switch:
[edit]
set vlans finance vlan-id 100
set vlans lab vlan-id 200
set vlans sales vlan-id 300
set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk
To configure the three VLANs on the Distribution Switch, to configure the trunk
interfaces, and to enable GVRP on the trunk interface of the Distribution Switch:
1.

[edit]
user@Distribution-Switch# set vlans finance vlanid 100
2.

[edit]
user@Distribution-Switch# set vlans lab vlanid 200
3.

[edit]
user@Distribution-Switch# set vlans sales vlanid 300
4.
Configure the trunk interface to Access Switch A:

[edit]
user@Distribution-Switch# set interfaces xe-0/1/1 unit 0 family
5.
Configure the trunk interface to Access Switch B:

[edit]
user@Distribution-Switch# set interfaces xe-0/1/0 unit 0 family
6.
Enable GVRP on the trunk interface for xe-0/1/1 :

[edit]
user@Distribution-Switch# set protocols gvrp interface xe-0/1/1.0
7.
518
Enable GVRP on the trunk interface for xe-0/1/0 :
[edit]
user@Distribution-Switch# set protocols gvrp interface xe-0/1/0.0
Results

[edit]
user@Distribution Switch-D #show
interfaces {
ge-0/0/0 {
unit 0 {
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
port-mode trunk;
}
}
}
ge-0/1/1 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
port-mode trunk;
}
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
519
unit 0 {
}
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
interface all;
}
lldp-med {
interface all;
}
gvrp {
}
rstp;
}
storm-control {
interface all {
level 50;
}
}
}
vlans {
finance {
vlan-id 100;
}
lab {
vlan-id 300;
}
sales {
vlan-id 300;
}
}
Verification
To confirm that the configuration is updating VLAN membership, perform these
tasks:
520
Verification
Verifying That GVRP Is Enabled on Access Switch A on page 521
Verifying That GVRP Is Updating VLAN Membership on Switch A on page 521
Verifying That GVRP Is Enabled on Access Switch B on page 521
Verifying That GVRP Is Updating VLAN Membership on Switch B on page 522
Verifying That GVRP Is Enabled on the Distribution Switch on page 522
Verifying That GVRP Is Updating VLAN Membership on the Distribution

Switch on page 522
Verifying That GVRP Is Enabled on Access Switch A

Purpose
Action
Verify that GVRP is enabled on the switch.

Show the GVRP configuration, using the show gvrp command:
user@Access-Switch-A> show gvrp
Global GVRP configuration
GVRP status : Enabled
GVRP Timers (ms)
Join
: 200
Leave
: 600
LeaveAll
: 10000
Interface Name
Protocol Status
---------------------------xe-0/1/1.0
Enabled
Meaning
The results show that GVRP is enabled on the trunk interface of Switch A and that
the default timers are used.
Verifying That GVRP Is Updating VLAN Membership on Switch A

Purpose
Action
To verify that GVRP is updating VLAN membership, display the Ethernet switching
interfaces and associated VLANs that are active on switch A:
List Ethernet switching interfaces on the switch, using the show ethernet-switching
interfaces command:
user@Access-Switch-A> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/1.0 up
finance
unblocked
ge-0/0/2.0 up
lab
unblocked
ge-0/0/3.0 up
sales
unblocked
xe-0/1/1.0 up
finance
unblocked
lab
unblocked
Meaning
GVRP has automatically added finance and lab as VLAN members on the trunk
interface, because they are being advertised by Access Switch B.
Verifying That GVRP Is Enabled on Access Switch B

Purpose
Action

Show the GVRP configuration:
user@Access-Switch-B> show gvrp
GVRP Timers (ms)
Join
: 200
Leave
: 600
LeaveAll
: 10000
Interface Name
Protocol Status
Verifying That GVRP Is Enabled on Access Switch A
521
-------------xe-0/1/0.0
Meaning
--------------Enabled
The results show that GVRP is enabled on the trunk interface of Switch B and that
the default timers are used.
Verifying That GVRP Is Updating VLAN Membership on Switch B

Purpose
Action
To verify that GVRP is updating VLAN membership, display the Ethernet switching
interfaces and associated VLANs that are active on switch B:
List Ethernet switching interfaces on the switch:
user@Access-Switch-B> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/0.0 up
finance
unblocked
ge-0/0/1.0 up
lab
unblocked
xe-0/1/1.0 up
finance
unblocked
lab
unblocked
sales
unblocked
Meaning
GVRP has automatically added finance, lab, and sales as VLAN members on the trunk
interface because they are being advertised by Access Switch A.
Verifying That GVRP Is Enabled on the Distribution Switch

Purpose
Action

Show the GVRP configuration:
user@Distribution-Switch> show gvrp
GVRP Timers (ms)
Join
: 200
Leave
: 600
LeaveAll
: 10000
Interface Name
Protocol Status
---------------------------xe-0/1/0.0
Enabled
xe-0/1/1.0
Enabled
Verifying That GVRP Is Updating VLAN Membership on the Distribution

Switch
Purpose
Action
To verify that GVRP is updating VLAN membership on the distribution switch, display
the Ethernet switching interfaces and associated VLANs on the Distribution Switch:
List the Ethernet switching interfaces on the switch:
user@Distribution-Switch> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
xe-0/1/1.0 up
finance
unblocked
lab
unblocked
522
Verifying That GVRP Is Updating VLAN Membership on Switch B
xe-0/1/0.0
Meaning
Related Topics
up
sales
finance
lab
unblocked
unblocked
unblocked
The Distribution Switch has two trunk interfaces. Interface xe-0/1/1.0 connects the
Distribution Switch to Access Switch A and is therefore updated to show that it is a
member of all the VLANs that are active on Access Switch A. Any traffic for those
VLANs will be passed on from the Distribution Switch to Access Switch A, through
interface xe-0/1/1.0. Interface xe-0/1/0.0 connects the Distribution Switch to Access
Switch B and is updated to show that it is a member of the two VLANs that are active
on Access Switch B. Thus, the Distribution Switch sends traffic for finance and lab to
both Access Switch A and Access Switch B. But the Distribution Switch sends traffic
for sales only to Access Switch A.
483
Example: Configuring Redundant Trunk Links for Faster Recovery

Simplify the convergence configuration in a typical enterprise network by configuring
a primary link and a secondary link on trunk ports. If the primary link fails, the
secondary link automatically takes over without waiting for normal STP convergence.
This example describes how to create a redundant trunk group:
Requirements
Two EX4200 distribution switches.
One EX3200 access switch.
Before you configure the redundant trunk links network on the access and distribution
switches, be sure you have:
Installed the access switch. See Installing and Connecting an EX3200 or EX4200
Switch.
Installed the two distribution switches. See Installing and Connecting an EX3200
or EX4200 Switch.

Example: Configuring Redundant Trunk Links for Faster Recovery
523

This example shows a simple configuration to illustrate the basic steps for creating
a redundant trunk group.
Configuring redundant trunk links places the primary link and the secondary link in
a redundant group. However, a primary link need not be configured. If a primary
link is not specified, the software compares the two links and selects the link with
the highest port number as the active link. For example, if the two interfaces are
ge-0/1/0 and ge-0/1/1, the software assigns ge-0/1/1 as the active link..
Whether a primary link is specified as the active link, or whether it is calculated by
the software, traffic is handled in the same manner. Traffic passes through the active
link but is blocked on the secondary link. If the active link goes down or is disabled
administratively, the secondary link becomes active and begins forwarding traffic.
However, there is a difference between the behavior of a primary, active link and
an active link that is calculated to be active by the software. If an active link goes
down, the secondary link begins forwarding traffic. If the old, active link comes up
again, the following occurs:
If the old, active link was configured as the primary link, then it resumes the role
of active link and the other link is blocked. An interface configured as primary
continues to carry with it the primary role whenever it becomes active.
If no primary link was configured, and the active link was calculated by the
software when the redundant group was formed, then the old, active link will
not preempt the other interface (new active).
NOTE: The JUNOS Software for EX Series switches does not allow an interface to be
in a redundant trunk group and in an STP topology at the same time.
Figure 31 on page 525 displays an example topology containing three switches.
Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the
access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2).
Table 68 on page 525 lists the components used in this redundant trunk group.
524
Figure 31: Topology for Configuring the Redundant Trunk Links
Table 68: Components of the Redundant Trunk Link Topology

Property
Settings
Switch hardware
Switch 11 EX4200 distribution switch
Switch 21 EX4200 distribution switch
Switch 31 EX3200 access switch
Trunk port interfaces
On Switch 3 (access switch): ge-0/0/9.0 and ge-0/0/10.0
Redundant trunk group
group1
This configuration example creates a redundant trunk group called group1 on Switch 3.
The trunk ports ge-0/0/9.0 and ge-0/0/10.0 are the two links in group1. The trunk
port ge-0/0/9.0 will be configured administratively as the primary link. The trunk
port ge-0/0/10.0 will be the secondary link.
Configuration
To quickly configure the redundant trunk group group1 on Switch 3, copy the following
[edit]
set ethernet-switching-options redundant-trunk-group group-name group1
set ethernet-switching-options redundant-trunk-group group-name group1 interface
ge-0/0/9.0 primary
Configuration
525
set ethernet-switching-options redundant-trunk-group group-name group1 interface

ge-0/0/10.0
Configure the redundant trunk group group1 on Switch 3 and specify the primary
and secondary links.
1.
Configure the redundant trunk group group1:

[edit ethernet-switching-options]
user@switch# set redundant-trunk-group group-name group1
2.
Configure the trunk port ge-0/0/9.0 as the primary link and ge-0/0/10 as the
secondary link:
user@switch# set redundant-trunk-group group-name group1 interface ge-0/0/9.0
primary
user@switch# set redundant-trunk-group group-name group1 interface
ge-0/0/10.0
Results

user@switch# show
group-name group1 {
interface ge-0/0/9.0 primary;
}
}
}
}
Verification
Verify that the redundant trunk group group1 has been created and is operating
properly:
Verifying That the Redundant Group Has Been Created on page 526
Verifying That the Redundant Group Has Been Created

Purpose
Action
Verify that the redundant trunk group group1 has been created on the switch and
that trunk ports are members of the redundant trunk group.
List all redundant trunk groups configured on the switch:
user@switch> show redundant-trunk-group group1
Redundant-trunk-group: group1
Interfaces
: ge-0/0/9.0 (P) , DOWN
: ge-0/0/10.0 (A) , UP
Bandwidth
: 1000 Mbps, 1000 Mbps
526
Verification
Last Time of Flap

#Flaps
Meaning
Related Topics
: 1970-01-01 00:19:12 UTC (00:00:06 ago), Never

: 1, 0
The show redundant-trunk-group command lists all redundant trunk groups configured
on the switch and which trunk links are members of the group. For this configuration
example, the output shows that the redundant trunk group group1 is configured on
the switch. The (P) beside trunk port ge-0/0/9.0 indicates that it is configured as the
primary link. The (A) beside the ge-0/0/10.0 trunk port indicates that it is the active
link.

Switches
Storm control enables you to prevent network outages caused by broadcast storms
on the LAN. You can configure storm control on the EX Series switch to rate limit
broadcast traffic and unknown unicast traffic at a specified level and to drop packets
when the specified traffic level is exceeded, thus preventing packets from proliferating
and degrading the LAN.
This example shows how to configure storm control on a single EX Series switch:
Configuration of the Storm Control Level Based on the Traffic Rate of the
Controlled Traffic Types on page 528
Configuration of the Storm Control Level Based on a Percentage of the Controlled

Traffic Types (Deprecated Method) on page 529
Requirements
One Juniper Networks EX3200 switch

A storm is generated when messages are broadcast on a network and each message
prompts a receiving node to respond by broadcasting its own messages on the
network. This, in turn, prompts further responses, creating a snowball effect and
resulting in a broadcast storm that can cause network outages.
You can use storm control to prevent broadcast storms by specifying the amount,
also known as the storm control level, of broadcast traffic and unknown unicast
traffic to be allowed on an interface. This level is given either as the traffic rate in
Example: Configuring Storm Control to Prevent Network Outages on EX Series Switches
527
kilobits per second of the combined broadcast and unknown unicast streams or as
a percentage of the combined broadcast and unknown unicast streams.
NOTE: By default, storm control is enabled on all interfaces. The default level is 50
percent of the combined broadcast and unknown unicast streams.
Storm control monitors the incoming broadcast traffic and unknown unicast traffic
and compares it with the level that you specify. If broadcast traffic and unknown
unicast traffic exceed the specified level, the switch drops packets for the controlled
traffic types.
NOTE: Alternatively, you can configure the switch to shut down or temporarily disable
the interface when the storm control limit is exceeded. See Configuring Autorecovery
From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure) on
page 558.
The topology used in this example consists of one EX3200 switch with 24 ports. The
switch is connected to various network devices. This example shows how to configure
the storm control level on interface ge-0/0/0 by using one of two different
configuration methods:
Setting the level to a traffic rate of 15000 Kbps, based on the traffic rate of the
combined broadcast and unknown unicast streams
Setting the level to 40 (plus or minus 2) percent, based on the combined broadcast
and unknown unicast streams
If broadcast traffic and unknown unicast traffic exceeds these levels, the switch drops
packets for the controlled traffic types to prevent a network outage.
Configuration of the Storm Control Level Based on the Traffic Rate of the Controlled Traffic
Types
To quickly configure storm control based on the traffic rate in kilobits per second of
the combined broadcast and unknown unicast streams, copy the following command
and paste it into the switch terminal window:
[edit]
set ethernet-switching-options storm-control interface ge-0/0/0 bandwidth 15000
528
Configuration of the Storm Control Level Based on the Traffic Rate of the Controlled Traffic Types
To configure storm control based on the traffic rate in kilobits per second of the
combined broadcast and unknown unicast streams:
1.
Specify the level of allowed broadcast traffic and unknown unicast traffic on a
specific interface:
user@switch# set storm-control interface ge-0/0/0 bandwidth 15000
Results

user@switch# show storm-control
interface ge-0/0/0.0 {
bandwidth 15000;
}
Configuration of the Storm Control Level Based on a Percentage of the Controlled Traffic
Types (Deprecated Method)
To quickly configure storm control based on the percentage of the combined broadcast
and unknown unicast streams, copy the following command and paste it into the
switch terminal window:
[edit]
set ethernet-switching-options storm-control interface ge-0/0/0 level 40
NOTE: The level configuration statement has been deprecated and might be removed
from future product releases. We strongly recommend that you phase out its use
and replace it with the bandwidth statement.
Configuration of the Storm Control Level Based on a Percentage of the Controlled Traffic Types (Deprecated Method)
529
To configure storm control based on a percentage of the combined broadcast and

unknown unicast streams:
1.
Specify the level of allowed broadcast traffic and unknown unicast traffic on a
specific interface:
user@switch# set storm-control interface ge-0/0/0 level 40
NOTE: The level configuration statement has been deprecated and might be removed
from future product releases. We strongly recommend that you phase out its use
and replace it with the bandwidth statement.
Results

user@switch# show storm-control
level 40; ## Warning: level is deprecated
}
Related Topics
Example: Setting Up Q-in-Q Tunneling on EX Series Switches

Service providers can use Q-in-Q tunneling to transparently pass Layer 2 VLAN traffic
from a customer site, through the service provider network, to another customer
site without removing or changing the customer VLAN tags or class-of-service (CoS)
settings. You can configure Q-in-Q tunneling on EX Series switches.
This example describes how to set up Q-in-Q:
Requirements
This example requires one EX Series switch with JUNOS Release 9.3 or later for EX
Series switches.
Before you begin setting up Q-in-Q tunneling, make sure you have created and
configured the necessary customer VLANs. See Configuring VLANs for EX Series
Switches (CLI Procedure) on page 546 or Configuring VLANs for EX Series Switches
(J-Web Procedure) on page 543.
530
Example: Setting Up Q-in-Q Tunneling on EX Series Switches

In this service provider network, there are multiple customer VLANs mapped to one
service VLAN.
Table 69: Components of the Topology for Setting Up Q-in-Q Tunneling
Interface
Description
ge-0/0/11.0
Tagged S-VLAN trunk port
ge-0/0/12.0
Untagged customer-facing access port
ge-0/0/13.0
Untagged customer-facing access port
ge-0/0/14.0
Tagged S-VLAN trunk port
Configuration
To quickly create and configure Q-in-Q tunneling, copy the following commands and
paste them into the switch terminal window:
[edit]
set vlans qinqvlan vlan-id 4001
set vlans qinqvlan dot1q-tunneling customer-vlans 1-100
set vlans qinqvlan dot1q-tunneling customer-vlans 201-300
set ethernet-switching-options dot1q-tunneling ether-type
port-mode trunk
vlan members 4001
port-mode access
vlan members 4001
port-mode access
vlan members 4001
port-mode trunk
vlan members 4001
0x9100
To configure Q-in-Q tunneling:

1.
Set the VLAN ID for the S-VLAN:

[edit vlans]
user@switch# set qinqvlan vlan-id 4001
2.
Enable Q-in-Q tuennling and specify the customer VLAN ranges:

[edit vlans]
user@switch# set qinqvlan dot1q-tunneling customer-vlans 1-100
user@switch# set qinqvlan dot1q-tunneling customer-vlans 201-300
3.
Set the port mode and VLAN information for the interfaces:
531
[edit interfaces]
user@switch# set ge-0/0/11
trunk
4001
access
4001
access
4001
trunk
4001
4.
unit 0 family ethernet-switching port-mode

unit 0 family ethernet-switching vlan members
Set the Q-in-Q Ethertype value:

[edit]
user@switch# set ethernet-switching-options dot1q-tunneling ether-type
0x9100
Results

user@switch> show configuration vlans qinqvlan
vlan-id 4001;
dot1q-tunneling {
customer-vlans [ 1-100 201-300 ];
}
Verification
Verifying That Q-in-Q Tunneling Was Enabled on page 532
Verifying That Q-in-Q Tunneling Was Enabled

Purpose
Action
Verify that Q-in-Q tunneling was properly enabled on the switch.

Use the show vlans command:
user@switch> show vlans qinqvlan extensive
VLAN: qinqvlan, Created at: Thu Sep 18 07:17:53 2008
802.1Q Tag: 4001, Internal index: 18, Admin State: Enabled, Origin: Static
Dot1q Tunneling Status: Enabled
Customer VLAN ranges:
1-100
201-300
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 4 (Active = 0)
532
Verification
ge-0/0/11.0,
ge-0/0/14.0,
ge-0/0/12.0,
ge-0/0/13.0,
Meaning
Related Topics
tagged, trunk
tagged, trunk
untagged, access
untagged, access
The output indicates that Q-in-Q tunneling is enabled and that the VLAN is tagged
and shows the associated customer VLANs.
Example: Configuring a Private VLAN on an EX Series Switch

For security reasons, it is often useful to restrict the flow of broadcast and unknown
unicast traffic and to even limit the communication between known hosts. The private
VLAN (PVLAN) feature on EX Series switches allow an administrator to split a
broadcast domain into multiple isolated broadcast subdomains, essentially putting
a VLAN inside a VLAN.
This example describes how to create a private VLAN primary VLAN and secondary
VLANs:
Requirements
This example requires one EX Series switch with JUNOS Release 9.3 or later for EX
Series switches.
Before you begin configuring a private VLAN, make sure you have created and
configured the necessary VLAN. See Configuring VLANs for EX Series Switches (CLI
Procedure) on page 546 or Configuring VLANs for EX Series Switches (J-Web

In a large office with multiple buildings and VLANs, you might need to isolate some
workgroups or other endpoints for security reasons or to partition the broadcast
domain. This configuration example shows a simple topology to illustrate how to
create a private VLAN with one primary VLAN and two community VLANs, one for
HR and one for finance, as well as two isolated ports for the mail server and the
backup server.
Table 70: Components of the Topology for Configuring a Private VLAN
Interface
Description
Example: Configuring a Private VLAN on an EX Series Switch
533
Table 70: Components of the Topology for Configuring a Private VLAN (continued)
ge-0/0/0.0
Primary VLAN (pvlan) trunk port
ge-0/0/11.0
User 1, HR Community (hr-comm)
ge-0/0/12.0
User 2, HR Community (hr-comm)
ge-0/0/13.0
User 3, Finance Community (finance-comm)
ge-0/0/14.0
User 4, Finance Community (finance-comm)
ge-0/0/15.0
Mail server, Isolated (isolated)
ge-0/0/16.0
Backup server, Isolated (isolated)
ge-1/0/0.0
Primary VLAN ( pvlan) trunk port
Configuration
To quickly create and configure a private VLAN, copy the following commands and
[edit]
set vlans pvlan vlan-id 1000
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan
set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access
set vlans pvlan no-local-switching
set vlans pvlan interface ge-0/0/0.0
set vlans pvlan interface ge-1/0/0.0
set vlans hr-comm interface ge-0/0/11.0
set vlans hr-comm interface ge-0/0/12.0
set vlans finance-comm interface ge-0/0/13.0
set vlans finance-comm interface ge-0/0/14.0
set vlans hr-comm primary-vlan pvlan
set vlans finance-comm primary-vlan pvlan
To configure the private VLAN:

1.
Set the VLAN ID for the primary VLAN:

[edit vlans]
user@switch# set pvlan vlan-id 1000
2.
Set the interfaces and port modes:

[edit interfaces]
534
Configuration
user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode trunk

user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members
pvlan
user@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunk
pvlan
user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode
access
access
access
access
access
access
3.
Set the primary VLAN to have no local switching:
NOTE: The primary VLAN must be a tagged VLAN.
[edit vlans]
user@switch# set pvlan no-local-switching
4.
Add the trunk interfaces to the primary VLAN:

[edit vlans]
user@switch# set pvlan interface ge-0/0/0.0
5.
For each secondary VLAN, configure access interfaces:
NOTE: The secondary VLANs must be untagged VLANs.
[edit vlans]
user@switch# set hr-comm interface ge-0/0/11.0
Configuration
535
user@switch# set hr-comm interface ge-0/0/12.0

user@switch# set finance-comm interface ge-0/0/13.0
user@switch# set finance-comm interface ge-0/0/14.0
6.
For each community VLAN, set the primary VLAN:

[edit vlans]
user@switch# set hr-comm primary-vlan pvlan
user@switch# set finance-comm primary-vlan pvlan
7.
Add each isolated interface to the primary VLAN:

[edit vlans]
Results

user@switch> show configuration vlans
finance-comm {
interface {
ge-0/0/13.0;
ge-0/0/14.0;
}
primary-vlan pvlan;
}
hr-comm {
interface {
ge-0/0/11.0;
ge-0/0/12.0;
}
primary-vlan pvlan;
}
pvlan {
vlan-id 1000;
interface {
ge-0/0/15.0;
ge-0/0/16.0;
ge-0/0/0.0;
ge-1/0/0.0;
}
no-local-switching;
}
536
Configuration
Verification
Verifying the Private VLAN and Secondary VLANs Were Created on page 537
Verifying the Private VLAN and Secondary VLANs Were Created

Purpose
Action
Verify that the primary VLAN and secondary VLANs were properly created on the
switch.
Use the show vlans command:
user@switch> show vlans pvlan extensive
VLAN: pvlan, Created at: Tue Sep 16 17:59:47 2008
Private VLAN Mode: Primary
Protocol: Port Mode
ge-0/0/0.0, tagged, trunk
ge-0/0/11.0, untagged, access
Secondary VLANs: Isolated 2, Community 2
Isolated VLANs :
__pvlan_pvlan_ge-0/0/15.0__
Community VLANs :
finance-comm
hr-comm
user@switch> show vlans hr-comm extensive
VLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008
Internal index: 22, Admin State: Enabled, Origin: Static
Private VLAN Mode: Community, Primary VLAN: pvlan
Protocol: Port Mode
user@switch> show vlans finance-comm extensive
VLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008
Private VLAN Mode: Community, Primary VLAN: pvlan
Protocol: Port Mode
user@switch> show vlans __pvlan_pvlan_ge-0/0/15.0__ extensive
VLAN: __pvlan_pvlan_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 2008
Private VLAN Mode: Isolated, Primary VLAN: pvlan
Verification
537
Protocol: Port Mode

user@switch> show vlans __pvlan_pvlan_ge-0/0/16.0__ extensive
VLAN: __pvlan_pvlan_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 2008
Private VLAN Mode: Isolated, Primary VLAN: pvlan
Protocol: Port Mode
Meaning
Related Topics
The output shows that the primary VLAN was created and identifies the interfaces
and secondary VLANs associated with it.

Switches
Virtual routing instances allow each EX Series switch to have multiple routing tables
on a device. With virtual routing instances, you can segment your network to isolate
traffic without setting up additional devices.
This example describes how to create virtual routing instances:
Requirements
One EX Series switch
Before you create the virtual routing instances, make sure you have:
Configured the necessary VLANs. See Configuring VLANs for EX Series Switches
(CLI Procedure) on page 546 or Configuring VLANs for EX Series Switches (J-Web

In a large office, you may need multiple VLANs to properly manage your traffic. This
configuration example shows a simple topology to illustrate how to connect a single
538
Example: Using Virtual Routing Instances to Route Among VLANs on EX Series Switches
EX Series switch with a virtual routing instance for each of two VLANs, enabling
traffic to pass between those VLANs.
In the example topology, the LAN is segmented into two VLANs, each associated
with an interface and a routing instance on the EX Series switch.
Configuration
To quickly create and configure virtual routing instances, copy the following
[edit]
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet address 103.1.1.1/24
set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet address 103.1.1.1/24
set routing-instances r1 instance-type virtual-router
set routing-instances r1 interface ge-0/0/1.0
set routing-instances r2 instance-type virtual-router
To configure virtual routing instances:

1.
Create a VLAN-tagged interface:

[edit]
user@switch# set interfaces ge-0/0/3 vlan-tagging
2.
Create two subinterfaces, on the interface, one for each routing instance:
[edit]
user@switch# set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet
address 103.1.1.1/24
user@switch# set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet
address 103.1.1.1/24
3.
Create two virtual routers:

[edit]
user@switch# set routing-instances r1 instance-type virtual-router
user@switch# set routing-instances r2 instance-type virtual-router
4.
Set the interfaces for the virtual routers:

[edit]
user@switch# set routing-instances r1 interface ge-0/0/1.0
Configuration
539
Results

interfaces {
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
vlan-tagging;
unit 0 {
vlan-id 1030;
family inet {
address 103.1.1.1/24;
}
}
unit 1 {
vlan-id 1031;
family inet {
address 103.1.1.1/24;
}
}
}
routing-instances {
r1 {
instance-type virtual-router;
}
r2 {
}
}
Verification
Verifying That the Routing Instances Were Created on page 540
Verifying That the Routing Instances Were Created

Purpose
Action
540
Verification
Verify that the virtual routing instances were properly created on the switch.
Use the show route instance command:
user@switch> show route instance

Instance
Type
Primary RIB
master
forwarding
inet.0
r1
r2
1/0/0
virtual-router
r2.inet.0
Related Topics
3/0/0
virtual-router
r1.inet.0
Meaning
Active/holddown/hidden
1/0/0
Each routing instance created is displayed, along with its type, information about
whether it is active or not, and its primary routing table.
541
542
Chapter 30
Configuring Layer 2 Bridging, VLANs, and

GVRP
Configuring VLANs for EX Series Switches (J-Web Procedure) on page 543
Configuring VLANs for EX Series Switches (CLI Procedure) on page 546
Configuring MAC Table Aging (CLI Procedure) on page 553
Configuring the Native VLAN Identifier (CLI Procedure) on page 554
Configuring GVRP (J-Web Procedure) on page 555
Configuring Redundant Trunk Groups (J-Web Procedure) on page 557

Configuring VLANs for EX Series Switches (J-Web Procedure)

You can use the VLAN configuration page to add a new VLAN or to edit or delete an
existing VLAN.
To access the VLAN configuration page:
1.
From the Configure menu, select Switching > VLAN.

The VLAN configuration page displays a list of existing VLANs. If you select a
specific VLAN, the specific VLAN details are displayed in the Details section.
2.
Click one:
Addcreates a VLAN.
Editedits an existing VLAN configuration.
Deletedeletes an existing VLAN.
543
NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces
is also deleted.
When you are adding or editing a VLAN, enter information as described in Table
71 on page 544.
Table 71: VLAN Configuration Details

Field
Function
Your Action
VLAN Name
Specifies a unique name for the VLAN.
Enter a name.
VLAN Id/Range
Specifies the identifier or range for the

VLAN.
Select one:
General tab
VLAN IDType a unique identification number from

1 through 4094. If no value is specified, it defaults to
0.
VLAN RangeType a number range to create VLANs

with IDs corresponding to the range. For example,
the range 23 will create two VLANs with the IDs 2
and 3.
Description
Describes the VLAN.
Enter a brief description for the VLAN.
MAC-Table-Aging-Time
Specifies the maximum time that an

entry can remain in the forwarding
table before it 'ages out'.
Type the number of seconds from 60 through 1000000.
Input filter
Specifies the VLAN firewall filter that is

applied to incoming packets.
To apply an input firewall filter, select the firewall filter

from the list.
Output filter
Specifies the VLAN firewall filter that is

applied to outgoing packets.
To apply an output firewall filter, select the firewall filter

from the list.
Specifies the ports (interfaces) to be

associated with this VLAN for data
traffic. You can also remove the port
association.
Click one:
Ports tab
Ports
AddSelect the ports from the available list.
RemoveSelect the port that you do not want
associated with the VLAN.

IP address tab
544
Chapter 30: Configuring Layer 2 Bridging, VLANs, and GVRP
Table 71: VLAN Configuration Details (continued)

Field
Function
Your Action
IPv4 address
Specifies IPv4 address options for the

VLAN.
Select IPv4 address to enable the IPv4 address options.

To configure IPv4:
IPv6 address
Specifies IPv6 address options for the

VLAN.
1.
Enter the IP address.
2.
Enter the subnet maskfor example, 255.255.255.0.

You can also specify the address prefix.
3.
To apply an input firewall filter to an interface, select

the firewall filter from the list.
4.
To apply an output firewall filter to an interface, select

the firewall filter from the list.
5.
Click the ARP/MAC Details button. Enter the static IP

address and MAC address in the window that is
displayed.
Select IPv6 address to enable the IPv6 address options.

To configure IPv6:
1.
Enter the IP addressfor example:

2001:ab8:85a3::8a2e:370:7334.
2.
Specify the subnet mask.
Voip tab
Ports
Specifies the ports to be associated with

this VLAN for voice traffic. You can also
remove the port association.
Click one:
AddSelect the ports from the available list.
RemoveSelect the port that you do not want
associated with the VLAN.
Related Topics
483
545
Configuring VLANs for EX Series Switches (CLI Procedure)

EX Series switches use VLANs to make logical groupings of network nodes with their
own broadcast domains. You can use VLANs to limit the traffic flowing across the
entire LAN and reduce collisions and packet retransmissions.
For each endpoint on the VLAN, configure the following VLAN parameters on the
corresponding interface:
1.
Set the description of the VLAN:

[edit interfaces ge-chassis/pic/port unit 0]
user@switch# set description vlan-description
2.
Set the unique name of the VLAN:

[edit interfaces ge-chassis/pic/port unit 0]
user@switch# set family ethernet-switching vlan members vlan-name
3.
Create the subnet for the VLAN:

[edit interfaces]
user@switch# set vlan unit 0 family inet address ip-address
4.
Configure the VLAN tag ID or VLAN ID range for the VLAN:

[edit vlans]
user@switch# set vlan-name vlan-id vlan-id-number
or
[edit vlans]
user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high
5.
To specify the maximum time that an entry can remain in the forwarding table
before it ages out:
[edit vlans]
user@switch# set vlan-name mac-table-aging-time time
6.
To specify a VLAN firewall filter to be applied to incoming or outgoing packets:

[edit vlans]
user@switch# set vlan-name filter (input | output) filter-name
Related Topics
546
483
Configuring VLANs for EX Series Switches (CLI Procedure)
Configuring Routed VLAN Interfaces (CLI Procedure)

Routed VLAN interfaces (RVIs) enable the EX Series switch to recognize which packets
are being sent to local addresses so that they are bridged whenever possible and are
routed only when needed. Whenever packets can be switched instead of routed,
several layers of processing are eliminated. Switching also reduces the number of
address look-ups. For redundancy purposes, RVI can be combined with
implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging
and VPLS environments.
To configure the routed VLAN interface:
1.
Create the VLAN by assigning it a name and a VLAN ID:

[edit]
user@switch# set vlans support vlan-id 111
2.
Assign an interface to the VLAN by specifying the logical interface (with the unit
statement) and specifying the VLAN name as the member:
[edit]
user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching
vlan members support
3.
Create the subnet for the VLANs broadcast domain:

[edit]
user@switch# set interfaces vlan unit 111 family inet address
111.111.111.1/24
4.
Bind a Layer 3 interface with the VLAN:

[edit]
user@switch# set vlans support l3-interface vlan.111
NOTE: Layer 3 interfaces on trunk ports allow the interface to transfer traffic between
multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is
routed.
You can display the configuration settings:
user@switch> show interfaces vlan terse
547
Interface
vlan
vlan.111
user@switch>
Name
default
Admin Link Proto

up
up
up
up
inet
Local
Remote
111.111.111.1/24
show vlans
Tag
Interfaces
None
employee-vlan
20
marketing
40
support
111
ge-1/0/0.0, ge-1/0/1.0, ge-1/0/2.0

ge-1/0/10.0, ge-1/0/20.0, ge-1/0/30.0
ge-0/0/18.0
mgmt
bme0.32769, bme0.32771*
VLAN
MAC address
Type
support
00:19:e2:50:95:a0 Static
Related Topics
548
Age Interfaces
- Router

page 490
483
Creating a Series of Tagged VLANs (CLI Procedure)

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are
identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged
and are encapsulated with 802.1Q tags. For a simple network that has only a single
VLAN, all traffic has the same 802.1Q tag.
Instead of configuring VLANS and 802.1Q tags one at a time for a trunk interface,
you can configure a VLAN range to create a series of tagged VLANs.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique
802.1Q tag. The tag is applied to all frames so that the network nodes receiving the
frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic
among a number of VLANs, use the tag to determine the origin of frames and where
to forward them.
For example, you could configure the VLAN employee and specify a tag range of
10-12. This creates the following VLANs and tags:
VLAN employee-10, tag 10
Creating tagged VLANs in a series has the following limitations:
Layer 3 interfaces do not support this feature.
Because an access interface can only support one VLAN member, access
interfaces also do not support this feature.
Voice over IP (VoIP) configurations do not support a range of tagged VLANs.
Creating a Series of Tagged VLANs (CLI Procedure)
549
To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):
1.
Configure the series (here, a VLAN series from 120 through 130):
[edit]
user@switch# set vlans employee vlan-range 120-130
2.
Associate a series of tagged VLANs when you configure an interface in one of

two ways:
Include the name of the series:

[edit interfaces]
user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan
members employee
Include the VLAN range:

[edit interfaces]
user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan
members 120130
Associating a series of tagged VLANS to an interface by name or by VLAN range have

the same result: VLANs __employee_120__ through __employee_130__ are created.
NOTE: When a series of VLANs are created using the vlan-range command, the VLAN
names are prefixed and suffixed with a double underscore.
Related Topics
Verifying That a Series of Tagged VLANs Has Been Created on page 559
483

page 490
Creating a Private VLAN (CLI Procedure)

The private VLAN (PVLAN) feature on EX Series switches allows an administrator to
split a broadcast domain into multiple isolated broadcast subdomains, essentially
putting a VLAN inside a VLAN.
Before you begin, make sure you set up your VLANs. See Configuring VLANs for EX
Series Switches (CLI Procedure) on page 546 or Configuring VLANs for EX Series
Switches (J-Web Procedure) on page 543.
550
Creating a Private VLAN (CLI Procedure)
To configure private VLANS:

1.
Set the primary VLAN to have no local switching:
NOTE: The primary VLAN must be a tagged VLAN.
[edit vlans]
user@switch# set primary-vlan-name no-local-switching
2.
For each community VLAN, configure access interfaces:
NOTE: The secondary VLANs must be untagged VLANs.
[edit vlans]
user@switch# set community-vlan-name interface ge-chassis/slot/port
3.
For each community VLAN, set the primary VLAN:

[edit vlans]
user@switch# set community-vlan-name primary-vlan primary-vlan-name
4.
For each isolated VLAN, add the interface to the primary VLAN:
[edit vlans]
user@switch# set primary-vlan-name interface ge-chassis/slot/port
Related Topics
Verifying That a Private VLAN Is Working on page 562
Understanding Private VLANs on EX Series Switches on page 480
Configuring Q-in-Q Tunneling (CLI Procedure)

Q-in-Q tunneling allows service providers on Ethernet access networks to segregate
or bundle customer traffic into different VLANs by adding another layer of 802.1Q
tags. You can configure Q-in-Q tunneling on EX Series switches.
Before you begin configuring Q-in-Q tunneling, make sure you set up your VLANs.
See Configuring VLANs for EX Series Switches (CLI Procedure) on page 546 or
Configuring VLANs for EX Series Switches (J-Web Procedure) on page 543.
Configuring Q-in-Q Tunneling (CLI Procedure)
551
To configure Q-in-Q tunneling:

1.
Enable Q-in-Q tunneling on the S-VLAN:

[edit vlans]
user@switch# set s-vlan-name dot1q-tunneling
2.
Set the allowed C-VLANs on the S-VLAN (optional). Here, the C-VLANs are
identified by VLAN range:
[edit vlans]
user@switch# set s-vlan-name dot1q-tunneling customer-vlans range
3.
Change the global Ethertype value (optional):

[edit]
user@switch# set ethernet-switching-options dot1q-tunneling ether-type
ether-type-value
4.
Disable MAC address learning on the S-VLAN (optional):

[edit vlans]
user@switch# set s-vlan-name no-mac-learning
Related Topics
Verifying That Q-in-Q Tunneling Is Working on page 562
Configuring Virtual Routing Instances (CLI Procedure)

Use virtual routing and forwarding (VRF) to divide an EX Series switch into multiple
virtual routing instances. VRF allows you to isolate VLAN traffic without using multiple
devices to segment your network.
Before you begin to configure these multiple virtual routing instances, make sure to
set up your VLANs. See Configuring VLANs for EX Series Switches (CLI Procedure)
on page 546 or Configuring VLANs for EX Series Switches (J-Web Procedure) on
page 543.
To configure virtual routing instances:
1.
Create a routing instance:

[edit routing-instances]
user@switch# set routing-instance-name instance-type virtual-router
2.
Bind each routing instance to the corresponding interfaces:

552
Configuring Virtual Routing Instances (CLI Procedure)
user@switch# set routing-instance-name interface

ge-chassis/slot/port.logical-unit-number
3.
Create each of the logical interfaces bound to each routing instance:

[edit interfaces]
user@switch# set ge-chassis/slot/port unit logical-unit-number family inet
address ip-address
4.
Enable VLAN tagging on each interface:

[edit interfaces]
user@switch# set ge-chassis/slot/port vlan-tagging
Related Topics

Verifying That Virtual Routing Instances Are Working on page 564
Configuring MAC Table Aging (CLI Procedure)

The aging process ensures that the EX Series switch tracks only active nodes on the
network and that it is able to flush out network nodes that are no longer available.
To manage MAC entries more efficiently, you can configure an entry's aging time,
which is the maximum time that an entry can remain in the Ethernet Switching table
before it ages out.
To configure how long entries remain in the Ethernet Switching table before expiring,
using the CLI (here, the VLAN is employee-vlan):
[edit vlans employee-vlan]
user@switch# set mac-table-aging-time 200
Related Topics
483

page 490
Configuring MAC Table Aging (CLI Procedure)
553
Configuring the Native VLAN Identifier (CLI Procedure)

EX Series switches support receiving and forwarding routed or bridged Ethernet
frames with 802.1Q VLAN tags. The logical interface on which untagged packets are
to be received must be configured with the same native VLAN ID as that configured
on the physical interface.
To configure the native VLAN ID using the CLI:
1.
Configure the port mode so that the interface is in multiple VLANs and can
multiplex traffic between different VLANs. Trunk interfaces typically connect to
other switches and to routers on the LAN. Configure the port mode as trunk:
[edit interfaces ge-0/0/3 unit 0 family ethernet-switching]
user@switch# set port-mode trunk
2.
Configure the native VLAN ID:

[edit interfaces ge-0/0/3 unit 0 family ethernet-switching]
user@switch# set native-vlan-id 3
Related Topics
554

page 490
483
Configuring the Native VLAN Identifier (CLI Procedure)
Configuring Unknown Unicast Forwarding (CLI Procedure)

Unknown unicast traffic consists of packets with unknown destination MAC addresses.
By default, the switch floods these packets to all interfaces associated with a VLAN.
Forwarding such traffic to interfaces on the switch can create a security issue.
To prevent flooding unknown unicast traffic across the switch, configure unknown
unicast forwarding to direct all unknown unicast packets within a VLAN out to a
specific trunk interface. From there, the destination MAC address can be learned
and added to the Ethernet switching table. You can configure each VLAN to divert
unknown unicast traffic to different trunk interfaces or use one trunk interface for
multiple VLANs.
To configure unknown unicast forwarding options using the CLI:
NOTE: Before you can configure unknown unicast forwarding within a VLAN, you
must first configure that VLAN.
1.
Configure unknown unicast forwarding for a specific VLAN (here, the VLAN name
is employee):
user@switch# set unknown-unicast-forwarding vlan employee
2.
Specify the trunk interface to which all unknown unicast traffic will be forwarded:
[edit ethernet-switching-options ]
user@switch# set unknown-unicast-forwarding vlan employee interface ge-0/0/3.0
Related Topics

Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on

page 561
Configuring GVRP (J-Web Procedure)

As a network expands and the number of clients and VLANs increases, VLAN
administration becomes complex, and the task of efficiently configuring VLANs on
multiple EX Series switches becomes increasingly difficult. To automate VLAN
Configuring Unknown Unicast Forwarding (CLI Procedure)
555
administration, you can enable GARP VLAN Registration Protocol (GVRP) on the
network.
GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding
trunk interface to the VLAN if the advertised VLAN is preconfigured or existing already
on the switch. For example, a VLAN named sales is advertised to trunk interface
1 on the GVRP-enabled switch. The switch adds trunk interface 1 to the sales VLAN
if the sales VLAN already exists on the switch.
As individual interfaces become active and send requests to join a VLAN, the VLAN
configuration is updated and propagated among the switches. Limiting the VLAN
configuration to active participants reduces the network overhead. GVRP also provides
the benefit of pruning VLANs to limit the scope of broadcast, unknown unicast, and
multicast (BUM) traffic to interested network devices only.
To configure GVRP using the J-Web interface:
1.
Select Configure > Switching > GVRP. Interfaces on which GVRP has been enabled
are listed.
2.
To enable GVRP on an interface, click Add. Click the arrow key to move the
interface from the Interface Out of GVRP list to the Interface under GVRP list, and
click OK.
3.
To modify GVRP timers, click Global Settings. When you are modifying GVRP
Timer settings for the interface, enter information as described in Table 72 on
page 556.
4.
Click OK to apply changes to the configuration or click Cancel to cancel without

saving changes.
To disable an interface, select the interface and click Disable Port.

Table 72: GVRP Timer Settings
Field
Function
Your Action
Join Timer
Specifies the maximum number of milliseconds the interfaces wait before

sending VLAN advertisements.
Type a number.
Leave Timer
Specifies the number of milliseconds an interface waits after receiving a

leave message before the interface leaves the VLAN specified in the
message.
Type a number.
Leave All Timer
Specifies the interval in milliseconds at which Leave All messages are sent
on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network.
Type a number.
Disable GVRP
Disables GVRP on all interfaces.
To disable GVRP, select the check box.

To enable GVRP, clear the check box.
Related Topics
556
Configuring GVRP (J-Web Procedure)
Monitoring GVRP on page 567
Configuring Redundant Trunk Groups (J-Web Procedure)

A redundant trunk link provides a simple solution for network recovery when a trunk
interface goes down. Traffic is routed to another trunk interface, keeping network
convergence time to a minimum. You can configure redundant trunk groups (RTGs)
with a primary link and a secondary link on trunk interfaces, or configure dynamic
selection of the active interface. If the primary link fails, the secondary link
automatically takes over without waiting for normal STP convergence. An RTG can
be created only if the following conditions are satisfied:
A minimum of two trunk interfaces that are not part of any RTG are available.
All the selected trunk interfaces to be added to the RTG have the same VLAN
configuration.
The selected trunk interfaces are not part of a spanning-tree configuration.
To configure an RTG using the J-Web interface:

1.
From the Configure menu, select Switching > RTG.

The RTG Configuration page displays a list of existing RTGs. If you select a specific
RTG, the details of the selected RTG are displayed in the Details of group section.
2.
Click one:
AddCreates an RTG.
EditModifies an RTG.
DeleteDeletes an RTG.
When you are adding or editing an RTG, enter information as described in Table
73 on page 557.
3.
Click OK to apply changes to the configuration or click Cancel to cancel without

saving changes.
Table 73: RTG Configuration Fields

Field
Function
Your Action
Group Name
Specifies a unique name for the RTG.
Enter a name.
Member Interface 1
Specifies a logical interface containing multiple trunk

interfaces.
Select a trunk interface from the list.
Member Interface 2
Specifies a trunk interface containing multiple VLANs.
Select a trunk interface from the list.
Select Primary Interface
Enables you to specify one of the interfaces in the RTG

as the primary link. The interface without this option
is the secondary link in the RTG.
1.
Select the option button.
2.
Select the primary interface.
Configuring Redundant Trunk Groups (J-Web Procedure)
557
Table 73: RTG Configuration Fields (continued)

Field
Function
Your Action
Dynamically select my active

interface
Specifies that the system dynamically selects the active

interface.
Select the option button.
Related Topics

Interfaces (CLI Procedure)
An Ethernet switching access interface on an EX Series switch might shut down or
be disabled as a result of one of the following port-security or storm-control
configurations:
MAC limitingmac-limit statement is configured with action shutdown.
MAC move limitingmac-move-limit statement is configured with action shutdown.
Storm controlstorm-control statement is configured with the action shutdown.
You can configure the switch to automatically restore the disabled interfaces to service
after a specified period of time. Autorecovery applies to all the interfaces that have
been disabled due to MAC limiting, MAC move limiting, or storm control errors.
NOTE: You must specify the disable timeout value for the interfaces to recover
automatically. There is no default disable timeout. If you do not specify a timeout
value, you need to use the clear ethernet-switching port-error command to clear the
errors and restore the interfaces or the specified interface to service.
To configure autorecovery from the disabled state due to MAC limiting, MAC move
limiting, or storm control shutdown actions:
user@switch# set port-error-disable disable-timeout 60
Related Topics
558
and MAC Move Limiting, on an EX Series Switch on page 1087
Configuring MAC Limiting (CLI Procedure) on page 1165

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
Chapter 31
Verifying Layer 2 Bridging, VLANs, and

GVRP
Verifying That a Series of Tagged VLANs Has Been Created on page 559
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk

Interface on page 561
Verifying That Q-in-Q Tunneling Is Working on page 562
Verifying That a Private VLAN Is Working on page 562
Verifying That Virtual Routing Instances Are Working on page 564
Verifying That the Port Error Disable Setting Is Working Correctly on page 565
Monitoring Ethernet Switching on page 566
Monitoring GVRP on page 567
Verifying That a Series of Tagged VLANs Has Been Created

Purpose
Action
Verify that a series of tagged VLANs is created on the switch.

Display the VLANs in the ascending order of their VLAN ID:
user@switch>
show vlans sort-by tag
Name
Tag
__employee_120__ 120
Interfaces
ge-0/0/22.0*
__employee_121__
121
__employee_122__
122
__employee_123__
123
__employee_124__
124
__employee_125__
125
__employee_126__
126
__employee_127__
127
__employee_128__
128
__employee_129__
129
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
559
ge-0/0/22.0*
__employee_130__
130
ge-0/0/22.0*
Display the VLANs by the alphabetical order of the VLAN name:

user@switch>
Name
show vlans sort-by name

Tag
Interfaces
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name
is employee):
user@switch>
Name
show vlans employee

Tag
Interfaces
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
560
Chapter 31: Verifying Layer 2 Bridging, VLANs, and GVRP
ge-0/0/22.0*
Meaning
The sample output shows the VLANs configured on the switch. The series of tagged
VLANs is displayed: __employee__120__ through __employee_130__. Each of the
tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*)
beside the interface name indicates that the interface is UP.
When a series of VLANs is created using the vlan-range statement, the VLAN names
are prefixed and suffixed with a double underscore.
Related Topics
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface

Purpose
Verify that a VLAN is forwarding all unknown unicast packets (those with unknown
destination MAC addresses) to a single trunk interface instead of flooding unknown
unicast packets across all interfaces that are members of the same VLAN.
Action
Display the forwarding interface for unknown unicast packets for a VLAN (here, the
VLAN name is v1):
user@switch> show configuration ethernet-switching-options
vlan v1 {
}
}
Display the Ethernet switching table:

user@switch> show ethernet-switching table vlan v1
Ethernet-switching table: 3 unicast entries
VLAN
MAC address
Type
v1
*
Flood
v1
00:01:09:00:00:00 Learn
v1
00:11:09:00:01:00 Learn
Meaning
Age
24
37
Interfaces
All-members
ge-0/0/7.0
ge-0/0/3.0
The sample output from the show configuration ethernet-switching-options command

shows that the unknown unicast forwarding interface for VLAN v1 is interface
ge-0/0/7. The show ethernet-switching table command shows that an unknown unicast
packet is received on interface ge-0/0/3 with the destination MAC address (DMAC)
00:01:09:00:00:00 and the source MAC address (SMAC) of 00:11:09:00:01:00. This
shows that the SMAC of the packet is learned in the normal way (through the interface
ge-0/0/3.0), while the DMAC is learned on interface ge-0/0/7.
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface
561
Related Topics
Verifying That Q-in-Q Tunneling Is Working

Purpose
Action
After creating a Q-in-Q VLAN, verify that it is set up properly.

1.
Use the show configuration vlans command to determine if you successfully

created the primary and secondary VLAN configurations:
svlan {
vlan-id 300;
dot1q-tunneling {
customer-vlans [ 101200 ];
}
}
2.
Use the show vlans command to view VLAN information and link status:
user@switch> show vlans s-vlan-name extensive
VLAN: svlan, Created at: Thu Oct 23 16:53:20 2008
101200
Protocol: Port Mode
ge-0/0/1, tagged, trunk
ge-0/0/2, untagged, access
Meaning
Related Topics
The output confirms that Q-in-Q tunnling is enabled and that the VLAN is tagged,
and lists the customer VLANs that are associated with the tagged VLAN.
Verifying That a Private VLAN Is Working

Purpose
Action
After creating and configuring private VLANs, verify they are set up properly.
1.
Use the show configuration vlans command to determine if you successfully

created the primary and secondary VLAN configurations:
community1 {
interface {
interface a;
interface b;
562
Verifying That Q-in-Q Tunneling Is Working
}
primary-vlan pvlan;
}
community2 {
interface {
interface d;
interface e;
}
primary-vlan pvlan;
}
pvlan {
vlan-id 1000;
interface {
isolated1;
isolated2;
trunk1;
trunk2;
}
no-local-switching;
}
2.
Use the show vlans command to view VLAN information and link status:
user@switch> show vlans pvlan extensive
VLAN: pvlan, Created at: time
802.1Q Tag: vlan-id, Internal index: index-number, Admin State: Enabled,
Origin: Static
Protocol: Port Mode
trunk1, tagged, trunk
interface a, untagged, access
interface b, untagged, access
interface c, untagged, access
interface d, untagged, access
interface e, untagged, access
interface f, untagged, access
trunk2, tagged, trunk
Secondary VLANs: Isolated 2, Community 2
Isolated VLANs :
__pvlan_pvlan_isolated1__
__pvlan_pvlan_isolated2__
Community VLANs :
community1
community2
3.
Use the show ethernet-switching table vlan command to view logs for MAC learning
on the VLANs:
user@switch> vlan pvlan extensive
pvlan, *
Interface(s):
Interface(s):
Interface(s):
Interface(s):
Interface(s):
Interface(s):
trunk1
interface
interface
interface
interface
interface
a
b
c
d
e
Verifying That a Private VLAN Is Working
563
Interface(s): interface f
Interface(s): trunk2
Type: Flood
Nexthop index: 1344
Meaning
Related Topics
The output shows that the primary and secondary VLANs were created and associated
and displays MAC learning information.
Verifying That Virtual Routing Instances Are Working

Purpose
Action
After creating a virtual routing instance, make sure it is set up properly.

1.
Use the show route instance command to list all of the routing instances and their
properties:
user@switch> show route instance
Instance
Type
Primary RIB
Active/holddown/hidden
master
forwarding
inet.0
3/0/0
__juniper_private1__ forwarding
__juniper_private1__.inet.0
1/0/3
__juniper_private2__ forwarding
instance1
forwarding
r1
virtual-router
r1.inet.0
r2
1/0/0
virtual-router
r2.inet.0
2.
1/0/0
Use the show route forwarding-table command to view the forwarding table
information for each routing instance:
user@switch> show route forwarding-table
Routing table: r1.inet
Internet:
Destination
Type RtRef Next hop
default
perm
0
0.0.0.0/32
perm
0
103.1.1.0/24
ifdn
0
ge-0/0/3.0
103.1.1.0/32
iddn
0 103.1.1.0
ge-0/0/3.0
103.1.1.1/32
user
0
564
Verifying That Virtual Routing Instances Are Working
Type Index NhRef Netif

rjct
539
2
dscd
537
1
rslv
579
1
recv
577
rjct
539
103.1.1.1/32
103.1.1.1/32
103.1.1.255/32
ge-0/0/3.0
224.0.0.0/4
224.0.0.1/32
255.255.255.255/32
Meaning
Related Topics
intf
iddn
iddn
0 103.1.1.1
0 103.1.1.1
0 103.1.1.255
locl
locl
bcst
578
578
576
2
2
1
perm
perm
perm
0
0 224.0.0.1
0
mdsc
mcst
bcst
538
534
535
1
1
1
The output confirms that the virtual routing instances are created and the links are
up and displays the routing table information.

Verifying That the Port Error Disable Setting Is Working Correctly

Purpose
Action
Verify that the port error disable setting is working as expected on MAC limited, MAC
move limited and rate-limited interfaces on an EX Series switch.
Display information about interfaces:
user@switch> show ethernet-switching interfaces
Interface
State
VLAN members
ge-0/0/0.0 up
T1122
ge-0/0/1.0 down
default
ge-0/0/2.0 down
default
ge-0/0/3.0 down
default
ge-0/0/4.0 down
default
ge-0/0/5.0 down
default
ge-0/0/6.0 down
default
ge-0/0/7.0 down
default
ge-0/0/8.0 down
default
ge-0/0/9.0 up
T111
ge-0/0/10.0 down
default
ge-0/0/11.0 down
default
ge-0/0/12.0 down
default
ge-0/0/13.0 down
default
ge-0/0/14.0 down
default
ge-0/0/15.0 down
default
ge-0/0/16.0 down
default
ge-0/0/17.0 down
default
ge-0/0/18.0 down
default
ge-0/0/19.0 up
T111
ge-0/1/0.0 down
default
ge-0/1/1.0 down
default
ge-0/1/2.0 down
default
ge-0/1/3.0 down
default
Meaning
Blocking
unblocked
MAC limit exceeded
MAC move limit exceeded
Storm control in effect
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
The sample output from the show ethernet-switching interfaces command shows that
three of the down interfaces specify the reason that the interface is disabled:
MAC limit exceededThe interface is temporarily disabled due to a mac-limit
error. The disabled interface is automatically restored to service when the

disable-timeout expires.
565
MAC move limit exceededThe interface is temporarily disabled due to a
mac-move-limit error. The disabled interface is automatically restored to service

when the disable-timeout expires.
Storm control in efffect The interface is temporarily disabled due to a
storm-control error. The disabled interface is automatically restored to service

Related Topics

Monitoring Ethernet Switching

Purpose
Use the monitoring feature to view details that the EX Series switch maintains in its
Ethernet switching table. These are details about the nodes on the LAN such as VLAN
name, VLAN ID, member interfaces, MAC addresses, and so on.
Action
To display Ethernet switching details in the J-Web interface, select Monitor > Switching
> Ethernet Switching.
To view Ethernet switching details in the CLI, enter the following commands:
Meaning
show ethernet-switching table
show vlans
Table 74 on page 566 summarizes the Ethernet switching output fields.
Table 74: Ethernet Switching Output Fields

Field
Value
Ethernet Switching Table Information

MAC Table Count
The number of entries added to the Ethernet switching table.
MAC Table Learned
The number of dynamically learned MAC addresses in the Ethernet switching table.
Ethernet Switching Table Information

VLAN
The VLAN name.
MAC Address
The MAC address associated with the VLAN. If a VLAN range has been configured for a
VLAN, the output displays the MAC addresses for the entire series of VLANs that were
created with that name.
Type
The type of MAC address. Values are:
566
staticThe MAC address is manually created.
learnThe MAC address is learned dynamically from a packet's source MAC address.
floodThe MAC address is unknown and flooded to all members.
Monitoring Ethernet Switching
Table 74: Ethernet Switching Output Fields (continued)

Field
Value
Age
The time remaining before the entry ages out and is removed from the Ethernet switching
table.
MAC Learning Log

VLAN-Name
The VLAN name.
MAC Address
The learned MAC address associated with the VLAN ID.
Time
Timestamp for the time at which when the MAC address was added or deleted from the
MAC learning log.
State
Operating state of the interface. Values are Up and Down.
Related Topics
Monitoring GVRP
Purpose
Action
Use the monitoring feature to view information about the GVRP configuration on the
EX Series switch.
To monitor GVRP in the J-Web interface, select Monitor > Switching > GVRP.
To monitor GVRP in the CLI, enter the following command:
Meaning
show gvrp
Table 75 on page 567 summarizes the GVRP output fields.
Table 75: Summary of GVRP Output Fields

Field
Value
Global GVRP Configuration

GVRP Status
Displays whether GVRP is enabled or disabled.
GVRP Timers
JoinThe number of milliseconds the interfaces must wait before sending VLAN
advertisements.
LeaveThe number of milliseconds an interface must wait after receiving a Leave

message to remove the interface from the VLAN specified in the message.
Leave AllThe interval in milliseconds at which Leave All messages are sent on
interfaces. Leave All messages maintain current GVRP VLAN membership information
in the network.
GVRP Interface Details
Monitoring GVRP
567
Table 75: Summary of GVRP Output Fields (continued)

Field
Value
Interface Name
The interface on which GVRP is configured.
Protocol Status
Displays whether GVRP is enabled or disabled on the interface.
Related Topics
568
Monitoring GVRP
Configuring GVRP (J-Web Procedure) on page 555
Chapter 32
Troubleshooting Layer 2 Bridging, VLANs,

and GVRP
Troubleshooting Ethernet Switching on page 569
Troubleshooting Ethernet Switching

Troubleshooting issues for Ethernet switching on EX Series switches:
MAC Address in the Switchs Ethernet Switching Table Is Not Updated After a
MAC Address Move on page 569
MAC Address in the Switchs Ethernet Switching Table Is Not Updated After a MAC Address
Move
Problem
Sometimes a MAC address entry in the switchs Ethernet switching table is not
updated after the device with that MAC address has been moved from one interface
to another on the switch. Typically, the switch does not wait for a MAC address
expiration when a MAC move operation occurs. As soon as the switch detects the
MAC address on the new interface, it immediately updates the table. Many network
devices send a gratuitous ARP packet when switching an IP address from one device
to another. The switch updates its ARP cache table after receipt of such gratuitous
ARP messages, and then it also updates its Ethernet switching table. However,
sometimes silent devices, such as SYSLOG servers or SNMP Trap receivers that receive
UDP traffic but do not return acknowledgement (ACK ) messages to the traffic source,
do not send gratuitous ARP packets when a device moves. If such a move occurs
when the system administrator is not available to explicitly clear the affected
interfaces by issuing the clear ethernet-switching table command, the entry for the
moved device in the Ethernet switching table is not updated.
Solution
Set up the switch to handle unattended MAC address switchovers.

1.
Reduce the system-wide ARP aging timer. (By default, the ARP aging timer is
set at 20 minutes. In JUNOS Release 9.4 and later, the range of the ARP aging
timer is from 1 through 240 minutes.)
[edit system arp]
user@switch# set aging-timer 3
2.
Set the MAC aging timer to the same value as the ARP timer. (By default, the
MAC aging timer is set to 300 seconds. The range is 15 to 1,000,000 seconds.)
Troubleshooting Ethernet Switching
569
[edit vlans]
user@switch# set vlans sales mac-table-aging-time 180
The ARP entry and the MAC address entry for the moved device expire within the
times specified by the aging timer values. After the entries expire, the switch sends
a new ARP message to the IP address of the device. The device responds to the ARP,
thereby refreshing the entries in the switchs ARP cache table and Ethernet switching
table
Related Topics
570
arp
mac-table-aging-time
MAC Address in the Switchs Ethernet Switching Table Is Not Updated After a MAC Address Move
Chapter 33
Understanding Spanning Trees
Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series

Understanding STP for EX Series Switches

Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention
through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple
Spanning Tree Protocol (MSTP), and VLAN Spanning Tree Protocol (VSTP). The default
spanning-tree protocol for EX Series switches is RSTP. RSTP provides faster
convergence times than STP. However, some legacy networks require the slower
convergence times of basic STP.
If your network includes 802.1D 1998 bridges, you can remove RSTP and explicitly
configure STP. See Configuring STP (CLI Procedure) on page 635. When you explicitly
configure STP, the EX Series switches use the IEEE 802.1D 2004 specification, force
version 0. This configuration runs a version of RSTP that is compatible with the
classic, basic STP. If you use VLANs, you should enable VSTP and use it on your
network. See Understanding VSTP for EX Series Switches on page 574.
You can use the same operational commands (show spanning-tree bridge and show
spanning-tree interface) to check the status of your spanning-tree configuration,
regardless of which spanning-tree protocol has been configured.
STP uses bridge protocol data unit (BPDU) packets to exchange information with
other switches. BPDUs send hello packets out at regular intervals to exchange
information across bridges and detect loops in a network topology. There are two
types of BPDUs:
Understanding STP for EX Series Switches
571
Configuration BPDUs: Contain configuration information about the transmitting

switch and its ports, including switch and port MAC addresses, switch priority,
port priority, and port cost.
Topology Change Notification (TCN) BPDUs: When a bridge needs to signal a

topology change, it starts to send TCNs on its root port. The designated bridge
receives the TCN, acknowledges it, and generates another one for its own root
port. The process continues until the TCN reaches the root bridge.
STP uses the information provided by the BPDUs to elect a root bridge, identify root
ports for each switch, identify designated ports for each physical LAN segment, and
prune specific redundant links to create a loop-free tree topology. All leaf devices
calculate the best path to the root device and place their ports in blocking or
forwarding states based on the best path to the root. The resulting tree topology
provides a single active Layer 2 data path between any two end stations.
Related Topics
Understanding RSTP for EX Series Switches

Juniper Networks EX Series Ethernet Switches use Rapid Spanning Tree Protocol
(RSTP) to provide better reconvergence time than the original STP. RSTP identifies
certain links as point to point. When a point-to-point link fails, the alternate link can
transition to the forwarding state.
Although STP provides basic loop prevention functionality, it does not provide fast
network convergence when there are topology changes. STP's process to determine
network state transitions is slower than RSTP's because it is timer-based. A device
must reinitialize every time a topology change occurs. The device must start in the
listening state and transition to the learning state and eventually to a forwarding or
blocking state. When default values are used for the maximum age (20 seconds) and
forward delay (15 seconds), it takes 50 seconds for the device to converge. RSTP
converges faster because it uses a handshake mechanism based on point-to-point
links instead of the timer-based process used by STP.
For networks with VLANs, you can use VLAN Spanning Tree Protocol (VSTP), which
takes the paths of each VLAN into account when calculating routes. VSTP uses RSTP
by default.
An RSTP domain running on an EX Series switch has the following components:
572
A root port, which is the best path to the root device.
A designated port, indicating that the switch is the designated bridge for the other
switch connecting to this port.
An alternate port, which provides an alternate root port.
A backup port, which provides an alternate designated port.
Understanding RSTP for EX Series Switches
Chapter 33: Understanding Spanning Trees
Port assignments change through messages exchanged throughout the domain. An

RSTP device generates configuration messages once every hello time interval. If an
RSTP device does not receive a configuration message from its neighbor after an
interval of three hello times, it determines it has lost connection with that neighbor.
When a root port or a designated port fails on a device, the device generates a
configuration message with the proposal bit set. Once its neighbor device receives
this message, it verifies that this configuration message is better than the one saved
for that port and then it starts a synchronizing operation to ensure that all of its ports
are in sync with the new information.
Similar waves of proposal agreement handshake messages propagate toward the
leaves of the network, restoring the connectivity very quickly after a topology change
(in a well-designed network that uses RSTP, network convergence can take as little
as 0.5 seconds). If a device does not receive an agreement to a proposal message it
has sent, it returns to the original IEEE 802.D convention.
RSTP was originally defined in the IEEE 802.1w draft specification and later
incorporated into the IEEE 802.1D-2004 specification.
VSTP uses RSTP as the protocol on a per-VLAN basis.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX Series Switches on page 579
Understanding MSTP for EX Series Switches

Although RSTP provides faster convergence time than STP, it still does not solve a
problem inherent in STP: All VLANs within a LAN must share the same spanning
tree. To solve this problem, Juniper Networks EX Series Ethernet Switches use Multiple
Spanning Tree Protocol (MSTP) to create a loop-free topology in networks with
multiple spanning-tree regions.
An MSTP region allows a group of bridges to be modeled as a single bridge. An MSTP
region contains multiple spanning tree instances (MSTIs). MSTIs provide different
paths for different VLANs. This functionality facilitates better load sharing across
redundant links.
MSTP region can support up to 64 MSTIs and each instance can support anywhere
from 1 through 4094 vlans.
MSTP was originally defined in the IEEE 802.1s draft specification and later
incorporated into the IEEE 802.1Q-2003 specification.
Related Topics

Understanding MSTP for EX Series Switches
573
Understanding VSTP for EX Series Switches

VLAN Spanning Tree Protocol (VSTP) allows Juniper Networks EX Series Ethernet
Switches to run one or more STP or RSTP instances for each VLAN on which VSTP
is enabled. For networks with multiple VLANs, this enables more intelligent tree
spanning, because each VLAN can have interfaces enabled or disabled depending
on the paths available to that specific VLAN.
By default, VSTP runs RSTP, but you cannot have both standalone RSTP and VSTP
running simultaneously on a switch. VSTP can be enabled for up to 253 VLANs.
NOTE: We recommend that you enable VSTP on all VLANs that could receive VSTP
bridge protocol data units (BPDUs).
Related Topics
vstp
through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN
Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP). BPDU
protection can help prevent STP misconfigurations that can lead to network outages.
A loop-free network is supported through the exchange of a special type of frame
called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in
an STP, RSTP, VSTP, or MSTP topology, however, can lead to network outages. Enable
BPDU protection on those interfaces to prevent these outages.
Peer STP applications running on the switch interfaces use BPDUs to communicate.
Ultimately, the exchange of BPDUs determines which interfaces block traffic and
which interfaces become root ports and forward traffic.
However, a user bridge application running on a PC can also generate BPDUs. If
these BPDUs are picked up by STP applications running on the switch, they can
trigger STP miscalculations, and those miscalculations can lead to network outages.
Enable BPDU protection on switch interfaces connected to user devices or on
interfaces on which no BPDUs are expected, such as edge ports. If BPDUs are received
on a protected interface, the interface is disabled and stops forwarding frames.
Not only can you configure BPDU protection on a switch with a spanning tree, but
also on a switch without a spanning tree. This type of topology typically consists of
a non-STP switch connected to an STP switch through a trunk interface.
To configure BPDU protection on a switch with a spanning tree, include the
bpdu-block-on-edge statement at the [edit protocols (stp | mstp | rstp )] hierarchy level.
574
Understanding VSTP for EX Series Switches
To configure BPDU protection on a switch without a spanning tree, include the

bpdu-block statement at the [edit ethernet-switching-options interface interface-name]
hierarchy level.
After the misconfiguration that triggered the BPDUs being sent to an interface is
fixed in the topology, the interface can be unblocked in one of two ways:
If the disable-timeout statement has been included in the BPDU configuration,

the interface automatically returns to service after the timer expires.
Use the operational mode command clear ethernet-switching bpdu-error.
Disabling the BPDU protection configuration does not unblock the interface.
Related Topics

Miscalculations on EX Series Switches on page 615
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Switches
Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP). Loop
protection increases the efficiency of STP, RSTP, and MSTP by preventing ports from
moving into a forwarding state that would result in a loop opening up in the network.
A loop-free network in spanning-tree topologies is supported through the exchange
of a special type of frame called bridge protocol data unit (BPDU). Peer STP
applications running on the switch interfaces use BPDUs to communicate. Ultimately,
the exchange of BPDUs determines which interfaces block traffic (preventing loops)
and which interfaces become root ports and forward traffic.
However, a blocking interface can transition to the forwarding state in error if the
interface stops receiving BPDUs from its designated port on the segment. Such a
transition error can occur when there is a hardware error on the switch or software
configuration error between the switch and its neighbor.
When loop protection is enabled, the spanning-tree topology detects root ports and
blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled
Understanding Loop Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches
575
interface stops receiving BPDUs from its designated port, it reacts as it would react
to a problem with the physical connection on this interface. It doesn't transition the
interface to a forwarding state, but instead transitions it to a loop-inconsistent state.
The interface recovers and then it transitions back to the spanning-tree blocking state
as soon as it receives a BPDU.
We recommend that you enable loop protection on all switch interfaces that have a
chance of becoming root or designated ports. Loop protection is most effective when
enabled in the entire switched network. When you enable loop protection, you must
configure at least one action (alarm, block, or both).
An interface can be configured for either loop protection or root protection, but not
for both.
Related Topics
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX Series Switches on page
624
on page 574
Switches
Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP). A
loop-free network is supported through the exchange of a special type of frame called
bridge protocol data unit (BPDU). Peer STP applications running on the switch
interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines
which interfaces block traffic and which interfaces become root ports and forward
traffic.
However, a root port elected through this process has the possibility of being wrongly
elected. A user bridge application running on a PC can generate BPDUs, too, and
interfere with root port election. Root protection allows network administrators to
manually enforce the root bridge placement in the network.
Enable root protection on interfaces that should not receive superior BPDUs from
the root bridge and should not be elected as the root port. These interfaces become
designated ports and are typically located on an administrative boundary. If the
bridge receives superior STP BPDUs on a port that has root protection enabled, that
port transitions to a root-prevented STP state (inconsistency state) and the interface
is blocked. This blocking prevents a bridge that should not be the root bridge from
576
Understanding Root Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches
being elected the root bridge. After the bridge stops receiving superior STP BPDUs
on the interface with root protection, the interface returns to a listening state, followed
by a learning state, and ultimately back to a forwarding state. Recovery back to the
forwarding state is automatic.
When root protection is enabled on an interface, it is enabled for all the STP instances
on that interface. The interface is blocked only for instances for which it receives
superior BPDUs. Otherwise, it participates in the spanning-tree topology.
An interface can be configured for either root protection or loop protection, but not
for both.
Related Topics

Spanning Trees on EX Series Switches on page 628

624


577
578
Chapter 34





from Blocking to Forwarding in a Spanning Tree on EX Series Switches on page 624


RSTP on EX Series Switches
EX Series switches use Rapid Spanning Tree Protocol (RSTP) to provide a loop-free
topology. RSTP identifies certain links as point to point. When a point-to-point link
fails, the alternate link can transition to the forwarding state. RSTP provides better
reconvergence time than original STP because it uses protocol handshake messages
rather than fixed timeouts. Eliminating the need to wait for timers to expire makes
RSTP more efficient than STP.
This example describes how to configure RSTP on four EX Series switches:
Configuring RSTP on Switch 1 on page 582
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX Series Switches
579
Requirements
Four EX Series switches
Before you configure the switches for RSTP, be sure you have:
Installed the four switches. See Connecting and Configuring an EX Series Switch
Performed the initial software configuration on all switches. See Installing and
Connecting an EX3200 or EX4200 Switch.

In this example, four EX Series switches are connected in the topology displayed in
Figure 32 on page 580 to create a loop-free topology.
Figure 32: Network Topology for RSTP
The interfaces shown in Table 76 on page 581 will be configured for RSTP.
580
Requirements
Chapter 34: Examples of Configuring Spanning Trees
NOTE: You can configure RSTP on logical or physical interfaces. This example shows
RSTP configured on logical interfaces.
Table 76: Components of the Topology for Configuring RSTP on EX Series Switches
Property
Settings
Switch 1
The following ports on Switch 1 are connected in this way:
Switch 2
ge-0/0/9 is connected to Switch 2
Switch 3
Switch 4
voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
This configuration example creates a loop-free topology between four EX Series

switches using RSTP.
An RSTP topology contains ports that have specific roles:
The root port is responsible for forwarding data to the root bridge.
The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
The designated port forwards data to the downstream network segment or

device.
The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.
581
NOTE: You also can create a loop-free topology between the aggregation layer and
the distribution layer using redundant trunk links. For more information about
configuring redundant trunk links, see Example: Configuring Redundant Trunk Links
for Faster Recovery on page 523.
Configuring RSTP on Switch 1

To configure RSTP on Switch 1, perform these tasks:
To quickly configure interfaces and RSTP on Switch 1, copy the following commands
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
40]
set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 16k
set protocols rstp interface ge-0/0/13.0 cost 1000
set protocols rstp interface ge-0/0/13.0 mode point-to-point
To configure interfaces and RSTP on Switch 1:

1.
Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
2.
582
set
set
set
set
set
set
set
set
voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members
[10 20 30 40]
[10 20 30 40]
[10 20 30 40]
3.
Configure the port mode for the interfaces:

[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching port-mode
trunk
trunk
trunk
4.
Configure RSTP on the switch:

[edit protocols]
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
Results
bridge-priority 16k
interface ge-0/0/13.0 cost 1000
interface ge-0/0/13.0 mode point-to-point

user@switch1> show configuration
interfaces {
ge-0/0/13 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/9 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/11 {
583
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
bridge-priority 16k;
cost 1000;
mode point-to-point;
}
cost 1000;
}
cost 1000;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

To configure RSTP on switch 2, perform these tasks:
[edit]
584
set
set
set
set
set
set
40]
set
40]
set
set
set
set
set
set
set
vlans employee-vlan vlan-id 20

vlans guest-vlan description Guest VLAN
vlans guest-vlan vlan-id 30
vlans camera-vlan description Camera VLAN
vlans camera-vlan vlan-id 40
interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30
interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
protocols rstp bridge-priority 32k
protocols rstp interface ge-0/0/14.0 cost 1000
protocols rstp interface ge-0/0/14.0 mode point-to-point

1.

[edit vlans]
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
2.
set
set
set
set
set
set
set
set

camera-vlan vlan-description Camera VLAN
Switching protocol:
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
4.

[edit protocols]
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp
bridge-priority 32k
interface ge-0/0/14.0
cost
mode
cost
mode
1000
point-to-point
1000
point-to-point
585
Results

interfaces {
ge-0/0/14 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/18 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
cost 1000;
}
cost 1000;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
586

[edit]
40]
40]
40]
set protocols rstp bridge-priority 8k

1.

[edit vlans]
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
2.
set
set
set
set
set
set
set
set

Switching protocol:
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
587

[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
trunk
4.

[edit protocols]
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
Results
bridge-priority 8k

interfaces {
ge-0/0/26 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/28 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/24 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
588
cost
mode
cost
mode
cost
mode
1000
point-to-point
1000
point-to-point
1000
point-to-point
}
}
}
}
}
}
protocols {
rstp {
bridge-priority 8k;
cost 1000;
}
cost 1000;
}
cost 1000;
}
}
bridge-priority 8k;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

[edit]
set vlans
set vlans
set vlans
set vlans
set vlans

voice-vlan vlanid 10
589
set
set
set
set
40]
set
40]
set
set
set
set
set
set
set
vlans guest-vlan vlan-id 30

vlans camera-vlan description Camera VLAN
vlans camera-vlan vlan-id 40
protocols rstp bridge-priority 16k

1.

[edit vlans]
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
2.
set
set
set
set
set
set
set
set

Switching protocol:
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
4.

[edit protocols]
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
590
bridge-priority 16k
interface all cost 1000
interface ge-0/0/23.0 cost
interface ge-0/0/23.0 mode
1000
point-to-point
1000
point-to-point
Results

interfaces {
ge-0/0/23 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/19 {
unit 0 {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
cost 1000;
}
cost 1000;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
591
Verification
Verifying RSTP Configuration on Switch 1 on page 592
Verifying RSTP Configuration on Switch 1

Purpose
Action
Verify the RSTP configuration on Switch 1.

Use the operational mode command:
user@switch1>
show spanning-tree interface
Spanning tree interface parameters for instance 0

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0
Port ID
Meaning
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0
Port
Cost
1000
1000
1000
State
Role
BLK
BLK
FWD
ALT
ALT
ROOT
Refer to the topology in Figure 32 on page 580. The operational mode command show
spanning-tree interface shows that ge-0/0/13.0 is in a forwarding state. The other
interfaces on Switch 1 are blocking.

Purpose
Action

user@switch2>

Interface
ge-0/0/14.0
ge-0/0/18.0
Meaning
592
Verification
Port ID
Designated
port ID
128:513
128:513
128:519
128:515
Designated
bridge ID
32768.0019e2503d20
8192.0019e25051e0
Port
State
Cost
1000 BLK
1000 FWD
Role
DESG
ROOT
spanning-tree interface shows that ge-0/0/18.0 is in a forwarding state and the root
port. The other interface on Switch 2 is blocking.

Purpose
Action

user@switch3>

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0
Meaning
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
DESG
DESG
DESG
spanning-tree interface shows that no interface is the root interface.

Purpose
Action

user@switch4> show spanning-tree interface
Interface
ge-0/0/23.0
ge-0/0/19.0
Meaning
Related Topics
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0
Port
Cost
1000
1000
State
Role
FWD
FWD
ROOT
DESG
spanning-tree interface shows that interface ge-0/0/23.0 is the root interface and
forwarding.

Example: Configuring Network Regions for VLANs with MSTP on EX Series Switches
Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in
networks using multiple spanning tree regions, each region containing multiple
spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs.
This functionality facilitates better load sharing across redundant links.
MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs.
593
This example describes how to configure MSTP on four EX Series switches:
Configuring MSTP on Switch 1 on page 597
Requirements
Four EX Series switches
Before you configure the switches for MSTP, be sure you have:
Installed the four switches. See Connecting and Configuring an EX Series Switch
Performed the initial software configuration on all switches. See Installing and
Connecting an EX3200 or EX4200 Switch.

When the number of VLANs grows in a network, MSTP provides a more efficient
way of creating a loop-free topology using MSTIs. Each MSTI in the spanning tree
domain maintains its own tree. Each tree can be mapped to different links, utilizing
bandwidth that would be unavailable to a single tree. MSTIs reduce demand on
system resources.
594
Requirements
Figure 33: Network Topology for MSTP
The interfaces shown in Table 77 on page 595 will be configured for MSTP.
NOTE: You can configure MSTP on logical or physical interfaces. This example shows
MSTP configured on logical interfaces.
Table 77: Components of the Topology for Configuring MSTP on EX Series Switches
Property
Settings
Switch 1
Switch 2
595
Table 77: Components of the Topology for Configuring MSTP on EX Series Switches (continued)
Property
Settings
Switch 3
Switch 4
voice-vlan, tag 10
guest-vlan, tag 30
camera-vlan, tag 40
MSTIs
1
2
The topology in Figure 33 on page 595 shows a Common Internal Spanning Tree
(CIST). The CIST is a single spanning tree connecting all devices in the network. The
switch with the highest priority is elected as the root bridge of the CIST.
Also in an MSTP topology are ports that have specific roles:

device.
The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.
In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3,
and Switch 4. Within the region, four VLANs are created:
The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.
employee-vlan supports data traffic and has a VLAN tag identifier of 20.
The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X
authentication) and has a VLAN tag identifier of 30.
The camera-vlan supports video traffic and has a VLAN tag identifier of 40.
The VLANs are associated with specific interfaces on each of the four switches. Two
MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP
parameters, such as cost, are configured on each switch.
596
Configuring MSTP on Switch 1

To configure MSTP on Switch 1, perform these tasks:
To quickly configure interfaces and MSTP on Switch 1, copy the following commands
[edit]
40]
40]
40]
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge-0/0/13.0 cost 1000
set protocols mstp interface ge-0/0/13.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000
To configure interfaces and MSTP on Switch 1:

1.

[edit vlans]
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
2.
set
set
set
set
set
set
set
set

Switching protocol:
597
[edit interfaces]
user@switch1# set ge0/0/13 unit 0 family ethernet-switching vlan members
[10 20 30 40]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
user@switch1# set ge0/0/13 unit 0 family ethernet-switching port-mode
trunk
trunk
trunk
4.
Configure MSTP on the switch, including the two MSTIs:

[edit protocols]
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
Results
configuration-name region1
bridge-priority 16k
msti 1 bridge-priority 16k
msti 1 vlan [10 20]
msti 1 interface ge-0/0/11.0 cost 4000
msti 2 vlan [30 40]

interfaces {
ge-0/0/13 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/9 {
unit 0 {
598
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/11 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
cost 1000;
}
cost 1000;
}
cost 4000;
}
msti 1 {
vlan [ 10 20 ];
cost 4000;
}
}
msti 2 {
bridge-priority 8k;
vlan [ 30 40 ];
}
}
vlans {
voice-vlan {
vlan-id 10;
599
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

To configure on Switch 2, perform these tasks:
[edit]
set vlans voice-vlan vlanid 10
40]
40]
600

1.

[edit vlans]
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
2.
set
set
set
set
set
set
set
set

camera-vlan vlan-description Camera VLAN
Switching protocol:
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
4.

[edit protocols]
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
Results
bridge-priority 32k
msti 1 vlan [10 20]
msti 2 vlan [30 40]
1000
point-to-point
1000
point-to-point

interfaces {
ge-0/0/14 {
unit 0 {
port-mode trunk;
vlan {
601
members
members
members
members
10;
20;
30;
40;
}
}
}
}
ge-0/0/18 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
cost 1000;
}
cost 1000;
}
msti 1 {
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 4k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
602
}
}

[edit]
set vlans camera-vlan vlanid 40
40]
40]
40]

1.

[edit vlans]
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
2.
set
set
set
set
set
set
set
set

Switching protocol:
603
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
trunk
4.

[edit protocols]
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
Results
bridge-priority 8k
msti 1 vlan [10 20]
msti 2 vlan [30 40]

interfaces {
ge-0/0/26 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/28 {
unit 0 {
604
1000
point-to-point
1000
point-to-point
1000
point-to-point
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/24 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
}
protocols {
mstp {
bridge-priority 8k;
cost 1000;
}
cost 1000;
}
cost 1000;
}
msti 1 {
bridge-priority 4k;
vlan [ 10 20 ];
}
msti 2 {
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
605
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

[edit]
set vlans voicevlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employeevlan description Employee VLAN
set vlans employeevlan vlanid 20
set vlans guestvlan description Guest VLAN
set vlans guestvlan vlanid 30
set vlans cameravlan description Camera VLAN
set vlans cameravlan vlanid 40
40]
40]
set protocols mstp interface ge0/0/23.0 cost 1000
set protocols mstp interface ge0/0/23.0 mode point-to-point
set protocols mstp interface ge0/0/19.0 cost 1000
set protocols mstp interface ge0/0/19.0 mode point-to-point
606

1.

[edit vlans]
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
2.
set
set
set
set
set
set
set
set

voice-vlan vlanid 10
employee-vlan vlanid 20
guest-vlan vlanid 30
guest-vlan vlanid 40
Switching protocol:
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
3.

[edit interfaces]
trunk
trunk
4.

[edit protocols]
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
Results
bridge-priority 16k
interface ge0/0/23.0 cost
interface ge0/0/23.0 mode
interface ge0/0/19.0 cost
interface ge0/0/19.0 mode
msti 1 vlan [10 20]
msti 2 vlan [30 40]
1000
point-to-point
1000
point-to-point

interfaces {
ge-0/0/23 {
unit 0 {
port-mode trunk;
vlan {
607
members
members
members
members
10;
20;
30;
40;
}
}
}
}
ge-0/0/19 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
cost 1000;
}
cost 1000;
}
msti 1 {
vlan [ 10 20 ];
}
msti 2 {
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
608
}
}
Verification
Verifying MSTP Configuration on Switch 1 on page 609
Verifying MSTP Configuration on Switch 1

Purpose
Action
Verify the MSTP configuration on Switch 1.

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0
Port ID
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0
Port
Cost
1000
1000
4000
State
Role
FWD
BLK
BLK
ROOT
ALT
ALT
Port
Cost
1000
1000
4000
State
Role
FWD
BLK
BLK
ROOT
ALT
ALT
Port
Cost
1000
1000
1000
State
Role
FWD
FWD
FWD
DESG
ROOT
DESG

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0
Port ID
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16385.0019e25040e0
32769.0019e2503d20
4097.0019e25051e0

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0
Port ID
128:527
128:529
128:531
Designated
port ID
128:527
128:513
128:531
Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
8194.0019e25044e0
user@switch1> show spanning-tree bridge

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
Root cost
Root port
CIST regional root
CIST internal root cost
Hello time
Maximum age
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/13.0
8192.00:19:e2:50:51:e0
2000
2 seconds
20 seconds
Verification
609
Forward delay
Hop count
Message age
Number of topology changes
Time since last topology change
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Meaning
:
:
:
:
:
15 seconds
18
0
3
921 seconds
: 16384.00:19:e2:50:44:e0
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
2000
ge-0/0/13.0
2 seconds
20 seconds
15 seconds
18
: 16385.00:19:e2:50:44:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
1000
ge-0/0/9.0
2 seconds
20 seconds
15 seconds
19
: 8194.00:19:e2:50:44:e0
: 0
: 2
The operational mode command show spanning-tree interface displays spanning-tree

domain information such as the designated port and the port roles.
The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.

Purpose
Action

user@switch2>

Interface
ge-0/0/14.0
610
Port ID
Designated
port ID
128:513
128:513
Designated
bridge ID
32768.0019e2503d20
Port
State
Cost
1000 FWD
Role
DESG
ge-0/0/18.0
128:519
128:515
8192.0019e25051e0
1000
FWD
ROOT

Interface
ge-0/0/14.0
ge-0/0/18.0
Port ID
Designated
port ID
128:513
128:513
128:519
128:515
Designated
bridge ID
32769.0019e2503d20
4097.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 FWD
Role
DESG
ROOT

Interface
Port ID
ge-0/0/14.0
Designated
port ID
128:513
128:513
Designated
bridge ID
4098.0019e2503d20
ge-0/0/18.0
128:519
4098.0019e2503d20
128:519
1000
DESG
FWD
DESG

Context ID
: 0
Enabled protocol
: MSTP
Root ID
Root cost
Root port
CIST regional root
Hello time
Maximum age
Forward delay
Hop count
Message age
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Hello time
Maximum age
Forward delay
Local parameters
Bridge ID
:
:
:
:
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/18.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
1
782 seconds
: 32768.00:19:e2:50:3d:20
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
1000
ge-0/0/18.0
2 seconds
20 seconds
15 seconds
19
: 32769.00:19:e2:50:3d:20
: 0
: 1
:
:
:
:
4098.00:19:e2:50:3d:20
2 seconds
20 seconds
15 seconds
: 4098.00:19:e2:50:3d:20
611
Extended system ID
Meaning
: 0
: 2


Purpose
Action

user@switch3>

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 BLK
1000 FWD
1000 FWD
Role
DESG
DESG
DESG

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
4097.0019e25051e0
4097.0019e25051e0
4097.0019e25051e0
DESG
DESG
DESG

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0
Port ID
Designated
port ID
128:513
128:531
128:515
128:519
128:517
128:517
Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
16386.0019e25051e0

Context ID
: 0
Enabled protocol
: MSTP
Root ID
CIST regional root
Hello time
Maximum age
Forward delay
Local parameters
612
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
8192.00:19:e2:50:51:e0
0
2 seconds
20 seconds
15 seconds
3
843 seconds
ALT
ROOT
DESG
Bridge ID
Extended system ID
: 8192.00:19:e2:50:51:e0
: 0
: 0

MSTI regional root
Hello time
Maximum age
Forward delay
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Meaning
:
:
:
:
4097.00:19:e2:50:51:e0
2 seconds
20 seconds
15 seconds
: 4097.00:19:e2:50:51:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
1000
ge-0/0/28.0
2 seconds
20 seconds
15 seconds
19
: 16386.00:19:e2:50:51:e0
: 0
: 2


Purpose
Action

Interface
ge-0/0/23.0
ge-0/0/19.0
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0
Port
Cost
1000
1000
State
Role
FWD
FWD
ROOT
DESG
State
Role
FWD
FWD
ROOT
DESG

Interface
ge-0/0/23.0
ge-0/0/19.0
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
4097.0019e25051e0
16385.0019e25040e0
Port
Cost
1000
1000
613
Interface
ge-0/0/23.0
ge-0/0/19.0
Port ID
128:523
128:525
Designated
port ID
128:517
128:527
Designated
bridge ID
16386.0019e25051e0
8194.0019e25044e0
Port
Cost
1000
1000
State
Role
BLK
FWD
ALT
ROOT

Context ID
: 0
Enabled protocol
: MSTP
Root ID
Root cost
Root port
CIST regional root
Hello time
Maximum age
Forward delay
Hop count
Message age
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Meaning
614
:
:
:
:
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/23.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
4
887 seconds
: 16384.00:19:e2:50:40:e0
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
1000
ge-0/0/23.0
2 seconds
20 seconds
15 seconds
19
: 16385.00:19:e2:50:40:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
2000
ge-0/0/19.0
2 seconds
20 seconds
15 seconds
18
: 32770.00:19:e2:50:40:e0
: 0
: 2

Related Topics


Miscalculations on EX Series Switches
EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Configure BPDU protection on interfaces to prevent them from receiving
BPDUs that could result in STP misconfigurations, which could lead to network
outages.
This example describes how to configure BPDU protection on access interfaces on
an EX Series switch in an RSTP topology:
Requirements
Two EX Series switches in an RSTP topology
Before you configure the interfaces on Switch 2 for BPDU protection, be sure you
have:
RSTP operating on the switches.
NOTE: By default, RSTP is enabled on all EX Series switches.

called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in
an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering
an STP misconfiguration. To prevent such outages, enable BPDU protection on those
interfaces that should not receive BPDUs.
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX Series Switches
615
Enable BPDU protection on switch interfaces connected to user devices or on

interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received
on a BPDU-protected interface, the interface is disabled and stops forwarding frames.
Two EX Series switches are displayed in Figure 34 on page 616. In this example,
Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The
interfaces on Switch 2 are access ports.
This example shows you how to configure interface ge-0/0/5 and interface ge-0/0/6
as edge ports and to configure BPDU protection. When BPDU protection is enabled,
the interfaces will transition to a blocking state when BPDUs are received on them.
Figure 34: BPDU Protection Topology
Table 78 on page 616 shows the components that will be configured for BPDU
protection.
Table 78: Components of the Topology for Configuring BPDU Protection on EX Series Switches
Property
Settings
Switch 1 (Distribution Layer)
Switch 1 is connected to Switch 2 on a trunk interface.
616
Table 78: Components of the Topology for Configuring BPDU Protection on EX Series Switches (continued)
Property
Settings
Switch 2 (Access Layer)
Switch 2 has these access ports that require BPDU protection:
ge-0/0/5
ge-0/0/6
This configuration example is using an RSTP topology. You also can configure BPDU
protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure BPDU protection on two access interfaces:
To quickly configure BPDU protection on Switch 2, copy the following commands

[edit]
set protocols rstp interface ge-0/0/5 edge
set protocols rstp interface ge-0/0/6 edge
set protocols rstp bpdu-block-on-edge
To configure BPDU protection:

1.
Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2 as edge ports:

[edit protocols rstp]
user@switch# set interface ge-0/0/5 edge
user@switch#set interface ge-0/0/6 edge
2.
Configure BPDU protection on all edge ports:

user@switch# set bpdu-block-on-edge
Results

user@switch> show configuration protocols rstp
edge;
}
edge;
}
bpdu-block-on-edge;
Configuration
617
Verification
To confirm that the configuration is working properly:
Displaying the Interface State Before BPDU Protection Is Triggered on page 618
Verifying That BPDU Protection is Working Correctly on page 618
Displaying the Interface State Before BPDU Protection Is Triggered

Purpose
Action
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
user@switch>

Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
FWD
DIS
DIS
DIS
DESG
DESG
DESG
DESG
The output from the operational mode command show spanning-tree interface shows
that ge-0/0/5.0 and interface ge-0/0/6.0 are designated ports in a forwarding state.
Verifying That BPDU Protection is Working Correctly

Purpose
Action
In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on
the interfaces.
user@switch>

Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
(BpduIncon)
ge-0/0/6.0
(BpduIncon)
618
Verification
Port ID
128:513
128:514
128:515
128:516
128:517
128:518
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
128:519
128:519
32768.0019e2503f00
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DIS
BLK
DIS
ge-0/0/7.0
128:520
ge-0/0/8.0
128:521
[output truncated]
Meaning
128:1
128:521
16384.00aabbcc0348
32768.0019e2503f00
20000
20000
FWD
FWD
ROOT
DESG
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces block and prevents them from
forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching bpdu-error
to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.
Related Topics



624

on page 574

Miscalculations on EX Series Switches
(MSTP). Configure BPDU protection on non-STP interfaces that are connected to
switches with spanning trees to prevent the non-STP interfaces from receiving BPDUs.
When non-STP interfaces receive BPDUs, it can result in an STP misconfiguration,
which could lead to network outages.
This example describes how to configure BPDU protection on non-STP interfaces on
an EX Series switch:
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches
619
Requirements
One EX Series switch in an RSTP topology
One EX Series switch that is not in a spanning-tree topology
Before you configure the interface for BPDU protection, be sure you have:
RSTP operating on Switch 1.
Disabled RSTP on Switch 2.

called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces can
lead to network outages by triggering an STP miscalculation. Enable BPDU protection
on those interfaces that should not receive BPDUs to prevent network outages.
BPDU protection for non-STP interfaces can be enabled on interfaces on a non-STP
switch connected to an STP switch through a trunk interface. Enable BPDU protection
on interfaces on which no BPDUs are expected, such as access ports connected to
user devices. If BPDUs are received on a BPDU-protected interface, the interface
transitions to a blocking state and stops forwarding frames.
Two EX Series switches are displayed in Figure 35 on page 621. In this example,
Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured
for RSTP, but Switch 2 has no spanning tree. Switch 2 has two access ports: interface
ge-0/0/5 and interface ge-0/0/6.
This example shows you how to configure BPDU protection on interface ge-0/0/5
and interface ge-0/0/6. When BPDU protection is enabled, the interfaces will
transition to a blocking state if BPDUs are received.
620
Requirements
Figure 35: BPDU Protection Topology
Table 78 on page 616 shows the components that will be configured for BPDU
protection.
Table 79: Components of the Topology for Configuring BPDU Protection on EX Series Switches
Property
Settings
Switch 1 (Distribution Layer)
Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured

for RSTP.
Switch 2 (Access Layer)
Switch 2 has RSTP disabled and has these access ports that require BPDU
protection:
ge-0/0/5
ge-0/0/6
CAUTION: When configuring BPDU protection on a non-STP configured switch

connected to an STP-configured switch, be careful that you do not configure BPDU
protection on all interfaces. Doing so could prevent BPDUs being received on
interfaces (such as a trunk interface) that should be receiving BPDUs from an
STP-configured switch.
621
Configuration
To configure BPDU protection on the interfaces:
To quickly configure BPDU protection on Switch 2, copy the following commands

[edit]
set ethernet-switching-options bpdu-block interface ge-0/0/5
set ethernet-switching-options bpdu-block interface ge-0/0/6
To configure BPDU protection:

1.
Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2:

user@switch# set bpdu-block interface ge-0/0/5
user@switch# set bpdu-block interface ge-0/0/6
Results

user@switch> show ethernet-switching-options
bpdu-block {
}
Verification
Displaying the Interface State Before BPDU Protection Is Triggered on page 622
Verifying That BPDU Protection Is Working Correctly on page 623
Displaying the Interface State Before BPDU Protection Is Triggered

Purpose
Action
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
user@switch>
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
622
Configuration

State
down
down
down
up
up
up
VLAN members
default
default
default
default
v1
v1
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
ge-0/0/6.0 up
[output truncated]
Meaning
default
unblocked
The output from the operational mode command show ethernet-switching interfaces
shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.
Verifying That BPDU Protection Is Working Correctly

Purpose
Action
In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is configured on
the interfaces.
user@switch>
Interface
State
ge-0/0/0.0 up
ge-0/0/1.0 up
ge-0/0/2.0 up
ge-0/0/3.0 up
ge-0/0/4.0 up
ge-0/0/5.0 down
ge-0/0/6.0 down
[output truncated]
Meaning
VLAN members
default
default
default
default
v1
v1
default
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
blocked - blocked by bpdu-control
blocked - blocked by bpdu-control
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces shut down and prevents them
from forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching bpdu-error
to recover from the error condition and restore the interface to service.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.
Related Topics



624
Verifying That BPDU Protection Is Working Correctly
623

on page 574

from Blocking to Forwarding in a Spanning Tree on EX Series Switches
(MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by
preventing interfaces from moving into a forwarding state that would result in a loop
opening up in the network.
This example describes how to configure loop protection for an interface on an EX
Series switch in an RSTP topology:
Requirements
Three EX Series switches in an RSTP topology
Before you configure the interface for loop protection, be sure you have:

A loop-free network in spanning-tree topologies is supported through the exchange
of a special type of frame called bridge protocol data unit (BPDU). Peer STP
applications running on the switch interfaces use BPDUs to communicate. Ultimately,
the exchange of BPDUs determines which interfaces block traffic (preventing loops)
and which interfaces become root ports and forward traffic.
A blocking interface can transition to the forwarding state in error if the interface
stops receiving BPDUs from its designated port on the segment. Such a transition
error can occur when there is a hardware error on the switch or software configuration
error between the switch and its neighbor. When this happens, a loop opens up in
624
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning
Tree on EX Series Switches
the spanning tree. Loops in a Layer 2 topology cause broadcast, unicast, and multicast
frames to continuously circle the looped network. As a switch processes a flood of
frames in a looped network, its resources become depleted and the ultimate result
is a network outage.
CAUTION: An interface can be configured for either loop protection or root protection,
but not for both.
Three EX Series switches are displayed in Figure 36 on page 625. In this example,
they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is
blocking traffic between Switch 3 and Switch 1; thus, traffic is forwarded through
interface ge-0/0/7 on Switch 2. BPDUs are being sent from the root bridge on Switch
1 to both of these interfaces.
This example shows how to configure loop protection on interface ge-0/0/6 to prevent
it from transitioning from a blocking state to a forwarding state and creating a loop
in the spanning-tree topology.
Figure 36: Network Topology for Loop Protection
Table 80 on page 625 shows the components that will be configured for loop
protection.
Table 80: Components of the Topology for Configuring Loop Protection on EX Series Switches
Property
Settings
Switch 1
Switch 1 is the root bridge.
Switch 2
Switch 2 has the root port ge-0/0/7.
625
Table 80: Components of the Topology for Configuring Loop Protection on EX Series Switches (continued)
Property
Settings
Switch 3
Switch 3 is connected to Switch 1 through interface ge-0/0/6.
A spanning-tree topology contains ports that have specific roles:

device.
This configuration example uses an RSTP topology. However, you also can configure
loop protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure loop protection on an interface:
To quickly configure loop protection on interface ge-0/0/6:

[edit]
set protocols rstp interface ge-0/0/6 bpdu-timeout-action block
To configure loop protection:

1.
Configure interface ge-0/0/6 on Switch 3:

user@switch# set interface ge-0/0/6 bpdu-timeout-action block
Results

block;
}
}
Verification
626
Configuration
Displaying the Interface State Before Loop Protection Is Triggered on page 627
Verifying That Loop Protection Is Working on an Interface on page 627
Displaying the Interface State Before Loop Protection Is Triggered

Purpose
Action
Before loop protection is triggered on interface ge-0/0/6, confirm that the interface
is blocking.
user@switch>

Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:2
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DESG
ALT
that ge-0/0/6.0 is the alternate port and in a blocking state.
Verifying That Loop Protection Is Working on an Interface

Purpose
Action
Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled
on interface ge-0/0/4 on Switch 1. This will stop BPDUs from being sent to interface
ge-0/0/6 and trigger loop protection on the interface.
user@switch>

Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
(Loop-Incon)
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DESG
DIS
The operational mode command show spanning-tree interface shows that interface
ge-0/0/6.0 has detected that BPDUs are no longer being forwarded to it and has
moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface
from transitioning to a forwarding state. The interface recovers and transitions back
to its original state as soon as it receives BPDUs.
Displaying the Interface State Before Loop Protection Is Triggered
627
Related Topics




Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning

Trees on EX Series Switches
(MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing
network administrators to manually enforce the root bridge placement in the network.
This example describes how to configure root protection on an interface on an EX
Series switch:
Requirements
Four EX Series switches in an RSTP topology
Before you configure the interface for root protection, be sure you have:

Peer STP applications running on switch interfaces exchange a special type of frame
called a bridge protocol data unit (BPDU). Switches communicate interface information
628
Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX Series Switches
using BPDUs to create a loop-free topology that ultimately determines the root bridge
and which interfaces block or forward traffic in the spanning tree.
However, a root port elected through this process has the possibility of being wrongly
elected. A user bridge application running on a PC can generate BPDUs, too, and
interfere with root port election.
To prevent this from happening, enable root protection on interfaces that should not
receive superior BPDUs from the root bridge and should not be elected as the root
port. These interfaces are typically located on an administrative boundary and are
designated ports.
When root protection is enabled on an interface:
The interface is blocked from becoming the root port.
Root protection is enabled for all STP instances on that interface.
The interface is blocked only for instances for which it receives superior BPDUs.
Otherwise, it participates in the spanning-tree topology.
CAUTION: An interface can be configured for either root protection or loop protection,
but not for both.
Four EX Series switches are displayed in Figure 37 on page 630. In this example, they
are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on Switch
1 is a designated port on an administrative boundary. It connects to Switch 4. Switch
3 is the root bridge. Interface ge-0/0/6 on Switch 1 is the root port.
This example shows how to configure root protection on interface ge-0/0/7 to prevent
it from transitioning to become the root port.
629
Figure 37: Network Topology for Root Protection
Table 81 on page 630 shows the components that will be configured for root protection.
Table 81: Components of the Topology for Configuring Root Protection on EX Series Switches
Property
Settings
Switch 1
Switch 1 is connected to Switch 4 through interface ge-0/0/7.
Switch 2
Switch 2 is connected to Switch 1 and Switch 3. Interface ge-0/0/4 is the alternate port in the
RSTP topology.
Switch 3
Switch 3 is the root bridge and is connected to Switch 1 and Switch 2.
Switch 4
Switch 4 is connected to Switch 1. After loop protection is configured on interface ge-0/0/7,

Switch 4 will send superior BPDUs that will trigger loop protection on interface ge-0/0/7.
A spanning tree topology contains ports that have specific roles:
630

device.
This configuration example uses an RSTP topology. However, you also can configure
root protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure root protection on an interface:
To quickly configure root protection on interface ge-0/0/7, copy the following

[edit]
set protocols rstp interface ge-0/0/7 no-root-port
To configure root protection:

1.
Configure interface ge-0/0/7:

user@switch#
set interface ge-0/0/7 no-root-port
Results

no-root-port;
}
Verification
Displaying the Interface State Before Root Protection Is Triggered on page 631
Verifying That Root Protection Is Working on the Interface on page 632
Displaying the Interface State Before Root Protection Is Triggered

Purpose
Action
Before root protection is triggered on interface ge-0/0/7, confirm the interface state.
Configuration
631
user@switch>

Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
FWD
FWD
DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DESG
that ge-0/0/7.0 is a designated port in a forwarding state.
Verifying That Root Protection Is Working on the Interface

Purpose
Action
A configuration change takes place on Switch 4. A smaller bridge priority on the

Switch 4 causes it to send superior BPDUs to interface ge-0/0/7. Receipt of superior
BPDUs on interface ge-0/0/7 will trigger root protection. Verify that root protection
is operating on interface ge-0/0/7.
user@switch>

Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
(RootIncon)
[output truncated]
Meaning
632
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
FWD
BLK
DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DIS
The operational mode command show spanning-tree interface shows that interface
ge-0/0/7.0 has transitioned to a loop inconsistent state. The loop inconsistent state
makes the interface block and prevents the interface from becoming a candidate for
the root port. When the root bridge no longer receives superior STP BPDUs from the
interface, the interface will recover and transition back to a forwarding state. Recovery
is automatic.
Related Topics


624


633
634
Chapter 35
Configuring STP (CLI Procedure) on page 635
Configuring Spanning-Tree Protocols (J-Web Procedure) on page 636
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 640
Configuring STP (CLI Procedure)

The default spanning-tree protocol for EX Series switches is Rapid Spanning Tree
Protocol (RSTP). RSTP provides faster convergence times than Spanning Tree Protocol
(STP). However, some legacy networks require the slower convergence times of basic
STP.
If your network includes 802.1D 1998 bridges, you can remove RSTP and explicitly
configure STP. When you explicitly configure STP, the EX Series switches use the
IEEE 802.1D 2004 specification, force version 0. This configuration runs a version
of RSTP that is compatible with the classic, basic STP.
To configure STP using the CLI:
1.
Delete the RSTP configuration on the interface (here, the interface is ge-0/0/5):
[edit]
user@switch# delete protocols rstp interface ge-0/0/5
2.
Configure STP on the interface:

[edit]
user@switch# set protocols stp interface ge-0/0/5
3.
Commit the configuration:

[edit]
user@switch# commit
Related Topics
show spanning-tree bridge
Configuring STP (CLI Procedure)
635
Configuring Spanning-Tree Protocols (J-Web Procedure)

(STP), Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP),
and VLAN Spanning Tree Protocol (VSTP). You can configure STP, RSTP, and MSTP
using the J-Web interface. You can configure bridge protocol data unit (BPDU)
protection on interfaces to prevent them from receiving BPDUs that could result in
STP misconfigurations, which could lead to network outages.
To configure STP, MSTP, or RSTP using the J-Web interface:
1.
From the Configure menu, select Switching > Spanning Tree.

The Spanning Tree Configuration page displays the spanning-tree protocol
configuration parameters and a list of interfaces configured for each spanning-tree
protocol configuration.
2.
Click one:
AddCreates a spanning-tree protocol configuration.

a.
Select a protocol name.
b.
Enter information as described in Table 82 on page 636.
c.
Click OK to apply changes to the configuration or click Cancel to cancel

without saving changes.
EditModifies a selected spanning-tree protocol configuration.

a.
b.
Click OK to apply changes to the configuration or click Cancel to cancel

without saving changes.
DeleteDeletes a selected spanning-tree protocol configuration.
Table 82: Spanning-Tree Protocol Configuration Parameters

Field
Function
Your Action
Protocol Name
Specifies the spanning-tree protocol type: STP, MSTP, or

RSTP.
None.
Disable
Disables spanning-tree protocol on the interface.
To enable this option, select the check box.
BPDU Protect
Specifies BPDU protection on all edge interfaces on the

switch.
To enable this option, select the check box.
General
636
Chapter 35: Configuring Spanning Trees
Table 82: Spanning-Tree Protocol Configuration Parameters (continued)

Field
Function
Your Action
Bridge Priority
Specifies the bridge priority. The bridge priority

determines which bridge is elected as the root bridge. If
two bridges have the same path cost to the root bridge,
the bridge priority determines which bridge becomes the
designated bridge for a LAN segment.
Select a value from the list.
Forward Delay
Specifies the number of seconds an interface waits before

changing from spanning-tree learning and listening states
to the forwarding state.
Type a value.
Hello Time
Specifies the time interval in seconds at which the root

bridge transmits configuration BPDUs.
Type a value.
Max Age
Specifies the maximum-aging time in seconds for all MST

instances. The maximum aging time is the number of
seconds a switch waits without receiving spanning-tree
configuration messages before attempting a
reconfiguration.
Type a value.
Max Hops
(MSTP only) Specifies the number of hops in a region

before the BPDU is discarded.
Type a value.
Configuration
Name
(MSTP only) Specifies the MSTP region name carried in

the MSTP BPDUs.
Type a name.
Revision Level
(MSTP only) Specifies the revision number of the MSTP

configuration.
Type a value.
Specifies an interface for the spanning-tree protocol.
1.
Click the Ports tab.
2.
Choose one:
Ports
Interface Name
Click Add and select an interface

from the list.
Select an interface in the Port/State

table and click Edit.
To delete an interface from the

configuration, select it in the
Port/State table and click Remove.
Cost
Specifies the link cost to determine which bridge is the

designated bridge and which interface is the designated
interface.
Type a value.
Priority
Specifies the interface priority to determine which

interface is elected as the root port.
Disable Port
Disables the spanning-tree protocol on the interface.
To enable the option, select the check box.
Edge
Configures the interface as an edge interface. Edge

interfaces immediately transition to a forwarding state.
637

Field
Function
Your Action
No Root Port
Specifies an interface as a spanning-tree designated port.

If the bridge receives superior STP BPDUs on a
root-protected interface, that interface transitions to a
root-prevented STP state (inconsistency state) and the
interface is blocked. This blocking prevents a bridge that
should not be the root bridge from being elected the root
bridge. When the bridge stops receiving superior STP
BPDUs on the root-protected interface, interface traffic
is no longer blocked.
Interface Mode
Specifies the link mode.
1.
To enable the option, select the check

box.
2.
Select one:
Point to PointFor a full-duplex link,
the default link mode is

point-to-point.
SharedFor a half-duplex link, the
default link mode is shared.

BPDU Timeout
Action
Specifies the BPDU timeout action for the interface.
Select one:
Alarm
Block
1.
Click the MSTI tab.
2.
Choose one:
MSTI
(MSTP only)
MSTI Name
Specifies a name (an MSTI ID) for the MST instance.
Click Add.
Select an MSTI ID and click Edit.
To delete an MSTI from the

configuration, select the MSTI ID and
slick Remove.
Bridge Priority
Specifies the bridge priority. The bridge priority

determines which bridge is elected as the root bridge. If
two bridges have the same path cost to the root bridge,
the bridge priority determines which bridge becomes the
designated bridge for a LAN segment.
VLAN ID
Specifies the VLAN for the MST instance.
In the VLAN box, choose one:
638
Click Add, select a VLAN from the list and

click OK.
To remove a VLAN association, select the

VLAN ID, click Remove, and click OK.
Chapter 35: Configuring Spanning Trees

Field
Function
Your Action
Interfaces
Specifies an interface for the MST instance.
1.
In the Interfaces box, click Add and select

an interface from the list, or select an
interface from the list and click Edit.
2.
Specify the link cost to determine which

bridge is the designated bridge and which
interface is the designated interface.
3.
Specify the interface priority to determine

which interface is elected as the root port.
4.
If you want to disable the interface, select

the check box.
5.
Click OK.
To delete an interface configuration, select the

interface, click Remove, and click OK.
Related Topics
Monitoring Spanning-Tree Protocols on page 641
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page

640



639
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure)

EX Series switches use bridge protocol data unit (BPDU) protection on interfaces to
prevent them from receiving BPDUs that could trigger a spanning-tree
misconfiguration. If BPDUs are received on a BPDU-protected interface, the interface
transitions to a blocking state and stops forwarding frames.
After the misconfiguration that triggered the BPDUs being sent to an interface is
fixed in the topology, the interface can be unblocked and returned to service.
To unblock an interface and return it to service using the CLI:
Automatically unblock an interface by configuring a timer that expires (here, the

interface is ge-0/0/6):
user@switch# set bpdu-block disable-timeout 30 interface ge-0/0/6
Manually unblock an interface using the operational mode command:

user@switch>
Related Topics
640
clear ethernet-switching bpdu-error interface ge-0/0/6


on page 574
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure)
Chapter 36
Monitoring Spanning-Tree Protocols on page 641
Monitoring Spanning-Tree Protocols

Purpose
Action
Use the monitoring feature to view status and information about the spanning-tree
protocol parameters on your EX Series switch.
To display spanning-tree protocol parameter details in the J-Web interface, select
Monitor > Switching > STP.
To display spanning-tree protocol parameter details in the CLI, enter the following
commands:
Meaning
Table 83 on page 641 summarizes the spanning-tree protocol parameters.
Table 83: Summary of Spanning-Tree Protocols Output Fields

Field
Values
Bridge Parameters
Context ID
An internally generated identifier.
Enabled Protocol
Spanning-tree protocol type enabled.
Root ID
Bridge ID of the elected spanning-tree root bridge.

The bridge ID consists of a configurable bridge priority and the MAC address of
the bridge.
Bridge ID
Locally configured bridge ID.
Hello Time
The time for which the bridge interface remains in the listening or learning state.
Forward Delay
The time for which the bridge interface remains in the listening or learning state
before transitioning to the forwarding state.
Extended System ID
The system ID.
641
Table 83: Summary of Spanning-Tree Protocols Output Fields (continued)

Field
Values
Inter Instance ID
An internally generated instance identifier.
Maximum Age
Maximum age of received bridge protocol data units (BPDUs).
Total number of STP topology changes detected since the switch last booted.
Spanning Tree Interface Details

Interface Name
Interface configured to participate in the STP instance.
Port ID
Logical interface identifier configured to participate in the STP instance.
Designated Port ID
Port ID of the designated port for the LAN segment to which the interface is
attached.
Designated Bridge ID
ID of the designated bridge to which the interface is attached.
Port Cost
Configured cost for the interface.
Port State
STP port state:
Role
Forwarding (FWD)
Blocking (BLK)
Listening
Learning
Disabled
MSTP or RSTP port role, Designated (DESG), backup (BKUP), alternate (ALT), or
root.
Spanning Tree Statistics of Interface

Interface
Interface for which statistics is being displayed.
BPDUs Sent
Total number of BPDUs sent.
BPDUs Received
Total number of BPDUs received.
Next BPDU Transmission
Number of seconds until the next BPDU is scheduled to be sent.
Related Topics
642
Configuring Spanning-Tree Protocols (J-Web Procedure) on page 636


Chapter 37
Configuration Statements for Bridging,

VLANs, and Spanning Trees
[edit vlans] Configuration Statement Hierarchy on page 652

analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100]) ;
}
no-mac-learning;
}
643
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
644
Chapter 37: Configuration Statements for Bridging, VLANs, and Spanning Trees
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Related Topics
on page 574

interfaces {
aex {
lacp mode {
periodic interval;
}
}
}
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
}
mtu bytes;
( family ccc; |
645

port-mode mode;
vlan {
}
}|
family mpls; )
proxy-arp;
}
vlan-tagging;
}
}
Related Topics


protocols {
connections {
}
}
dot1x {
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
646
}
}
}
gvrp {
<enable | disable>;
disable;
}
}
igmp-snooping {
traceoptions {
<match regex>;
}
data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
lldp {
disable;
disable;
}
647
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
path destination {
}
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
648
cost cost;
edge;
mode mode;
priority priority;
}
}
traceoptions {
no-world-readable>;
flag flag;
}
}
oam {
ethernet{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
649
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
650
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
block;
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
Related Topics


877


on page 1661
651

vlans {
vlan-name {
dot1q-tunneling {
}
}
mac-limit number;
no-local-switching;
no-mac-learning;
vlan-id number;
}
}
Related Topics
652
483

page 490
alarm
Syntax
Hierarchy Level
Release Information
Description

Related Topics
alarm;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp interface (all | interface-name) bpdu-timeout-action],

rstp interface (all | interface-name) bpdu-timeout-action],
stp interface (all | interface-name) bpdu-timeout-action],
vstp vlan vlan-id interface (all | interface-name) bpdu-timeout-action]

Statement updated in JUNOS Release 9.4 for EX Series switches to add VSTP support.
For interfaces configured for loop protection, configure the software to generate a
message to be sent to the system log file to record the loop-protection event.



624
alarm
653
arp
Syntax
Hierarchy Level
Release Information
Description
Options
arp {
aging-timer minutes;
}
[edit system]

Set the time interval between ARP updates.
aging-timer minutesTime interval in minutes between ARP updates. In environments
where the number of ARP entries to update is high, increasing the time between
updates can improve system performance.
Range: 5 to 240 minutes
Default: 20 minutes
Related Topics
systemTo view this statement in the configuration.

system-controlTo add this statement to the configuration.
For more information about ARP updates, see the JUNOS Software System Basics
bandwidth
Syntax
Hierarchy Level
Release Information
Description
[edit ethernet-switching-options storm-control interface (all | interface-name)]

For interfaces configured for storm control, configure the storm control level as the
bandwidth in kilobits per second of the combined broadcast and unknown unicast
streams.
Default
None.
Options
bandwithTraffic rate in kilobits per second of the combined broadcast and unknown
unicast streams.
Range: 100 through 10000000 Kbps
Default: None
Related Topics
654
arp


block
Syntax
Hierarchy Level
Release Information
Description
Related Topics
block;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp interface (all | interface-name) bpdu-timeout-action],

rstp interface (all | interface-name) bpdu-timeout-action],
stp interface (all | interface-name) bpdu-timeout-action],
vstp vlan vlan-id interface (all | interface-name) bpdu-timeout-action]

Configure loop protection on a specific interface.



624
block
655
bpdu-block
Syntax
Hierarchy Level
Release Information
Description
bpdu-block {
}

Configure BPDU protection on an interface. If the interface receives BPDUs, it is
disabled.

Related Topics
656
bpdu-block

clear ethernet-switching bpdu-error

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page

640


bpdu-block-on-edge
Syntax
Hierarchy Level
bpdu-block-on-edge;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols vstp]
Release Information

Description
Configure bridge protocol data unit (BPDU) protection on all edge ports of a switch.

Related Topics




bpdu-block-on-edge
657
bpdu-timeout-action
Syntax
Hierarchy Level
Release Information
Description
block;
alarm;
}
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp interface (all | interface-name)],

rstp interface (all | interface-name)],
stp interface (all | interface-name)],
vstp vlan vlan-id interface (all | interface-name)]

Configure the BPDU timeout action on a specific interface. You must configure at
least one action (alarm, block, or both).

Related Topics
658




624
bpdu-timeout-action
bridge-priority
Syntax
Hierarchy Level
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols
mstp],
mstp msti msti-id],
rstp],
stp],
vstp vlan vlan-id]
Release Information

Description
Configure the bridge priority. The bridge priority determines which bridge is elected
as the root bridge. If two bridges have the same path cost to the root bridge, the
bridge priority determines which bridge becomes the designated bridge for a LAN
segment.
Default
32,768
Options
priorityBridge priority. It can be set only in increments of 4096.

Default: 32,768
Related Topics


bridge-priority
659
configuration-name
Syntax
Hierarchy Level
Release Information
Description

Related Topics
660
configuration-name configuration-name;
[edit protocols mstp]

Specify the configuration name. The configuration name is the MSTP region name
carried in the MSTP BPDUs.


configuration-name
cost
Syntax
Hierarchy Level
cost cost;
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols

mstp msti msti-id interface interface-name],
Release Information

Description
For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN
Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), configure
the link cost to control which bridge is the designated bridge and which interface is
the designated interface.
Default
The link cost is determined by the link speed.
Options
costLink cost associated with the port.
Range: 1 through 200,000,000

Default: Link cost is determined by the link speed.
Related Topics

cost
661
customer-vlans
Syntax
Hierarchy Level
customer-vlans (id | native | range);

[edit vlans vlan-name dot1q-tunneling]
Release Information

Option native introduced in JUNOS Release 9.6 for EX Series switches.
Description
Limit the set of accepted C-VLAN tags to a range or to discrete values.
Options
idNumeric identifier for a VLAN.

nativeAccepts untagged and priority-tagged packets from access interfaces and
assigns the configured S-VLAN to the packet.

rangeRange of numeric identifiers for VLANs.
Related Topics
662
customer-vlans

dot1q-tunneling
ether-type
description
Syntax
Hierarchy Level
Release Information
[edit vlans vlan-name]
Description
Provide a textual description of the VLAN. The text has no effect on the operation of
the VLAN or switch.
Options
text-description Text to describe the interface. It can contain letters, numbers, and
hyphens (-) and can be up to 255 characters long. If the text includes spaces,
enclose the entire text in quotation marks.
Related Topics

show vlans
483
disable
Syntax
Hierarchy Level
Release Information
disable;
[edit protocols gvrp],
[edit protocols gvrp interface [interface-name]
NOTE: As of JUNOS Release 9.2, GVRP can be enabled only on trunk interfaces.
Description
Default

Related Topics
Disable the GVRP configuration on the interface.

If you do not configure GVRP, it is disabled. You can use this command to disable a
prior configuration of GVRP on a specified interface.
show gvrp
description
663
disable
Syntax
Hierarchy Level
Release Information
Description
Related Topics
664
disable
disable;
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols
protocols
protocols
protocols
protocols
mstp],
mstp interface interface-name],
mstp msti msti-id vlan (vlan-id | vlan-name) interface interface-name],
rstp],
rstp interface interface-name],
stp],
stp interface interface-name],
vstp],

Disable STP, MSTP, RSTP, or VSTP on the switch or on a specific interface.


disable-timeout
Syntax
Hierarchy Level
Release Information
Description
[edit ethernet-switching-options bpdu-block]

For interfaces configured for BPDU protection, specify the amount of time an interface
receiving BPDUs is disabled.
Default
The disable timeout is not enabled.
Options
timeout Amount of time, in seconds, the interface receiving BPDUs is disabled.
Once the timeout expires, the interface is brought back into service.
Range: 10 through 3600 seconds
Related Topics




on page 574
disable-timeout
665
disable-timeout
Syntax
Hierarchy Level
Release Information
Description
[edit ethernet-switching-options port-error-disable]

Specify how long the Ethernet-switching interfaces remain in a disabled state due to
the MAC limiting, MAC move liming, or storm control errors.
Default
Options
timeout Amount of time, in seconds, that the disabled state remains in effect. The
disabled interface is automatically restored to service when the specified timeout

is reached.
Related Topics

Configuring Port Security (CLI Procedure) on page 1150


dot1q-tunneling
Syntax
Hierarchy Level
Release Information
Description
Related Topics
666
disable-timeout
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100);
}

Set a global value for the Ethertype for Q-in-Q tunneling.
dot1q-tunneling
dot1q-tunneling
Syntax
Hierarchy Level
Release Information
Description
dot1q-tunneling {
customer-vlans (id | native | range);
}

Option native introduced in JUNOS Release 9.6 for EX Series switches.
Enable Q-in-Q tunneling on the specified VLAN.

Related Topics

dot1q-tunneling
dot1q-tunneling
667
edge
Syntax
Hierarchy Level
edge;
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols

Release Information

Description
interfaces as edge interfaces. Edge interfaces immediately transition to a forwarding
state.
Default
Related Topics
668
edge
Edge interfaces are not enabled.



ethernet-switching-options
Syntax
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100)
}
no-mac-learning;
}
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
669
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
(arp-inspection | no-arp-inspection);
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
(examine-dhcp | no-examine-dhcp);
}
}
storm-control {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Hierarchy Level
670
[edit]
Release Information
Description

Support for storm control and BPDU protection added in JUNOS Release 9.1 for EX
Series switches.
Option ip-source-guard added in JUNOS Release 9.2 for EX Series switches.
Options dhcp-option82, dot1q-tunneling, and no-allowed-mac-log added in JUNOS Release
9.3 for EX Series switches.
Options dhcp-snooping-file and mac-table-aging-time introduced in JUNOS Release 9.4
for EX Series switches.
Options interfaces and no-mac-learning introduced in JUNOS Release 9.5 for EX Series
switches.
Options port-error-disable and disable-timeout introduced in JUNOS Release 9.6 for
EX Series switches.
Configure Ethernet switching options.

Related Topics

routingcontrolTo add this statement to the configuration.
on page 574
ether-type
Syntax
Hierarchy Level
Release Information
Description

Related Topics
ether-type (0x8100 | 0x88a8 | 0x9100)

[edit ethernet-switching-options dot1q-tunneling]

Configure a global value for the Ethertype. Only one Ethertype value is supported at
a time. The Ethertype value appears in the Ethernet type field of the packet. It specifies
the protocol being transported in the Ethernet frame.
dot1q-tunneling
ether-type
671
filter
Syntax
Hierarchy Level
Release Information
Description
filter

Apply a firewall filter to traffic coming into or exiting from the VLAN.
All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is
sent unmodified from the VLAN.
Options
filter-name Name of a firewall filter defined in a filter statement.
Related Topics
Default
672
inputApply a firewall filter to VLAN ingress traffic.
outputApply a firewall filter to VLAN egress traffic.

forward-delay
Syntax
Hierarchy Level
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
rstp],
stp],
vstp vlan vlan-id]
Release Information

Description
Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), specify
how long a bridge interface remains in the listening and learning states before
transitioning to the forwarding state.
Default
15 seconds
Options
secondsNumber of seconds the bridge interface remains in the listening and learning
states.
Default: 15 seconds
Related Topics



forward-delay
673
group-name
Syntax
Hierarchy Level
Release Information
Description
Options
group-name name {
}
[edit ethernet-switching-options redundant-trunk-group]

Create a redundant trunk group.
nameThe name of the redundant trunk group. The group name must start with a
letter and can consist of letters, numbers, dashes, and underscores.

The remaining options are explained separately.
Related Topics
674
group-name

gvrp
Syntax
Hierarchy Level
Release Information
gvrp {
interface [interface-name] {
disable;
}
join-timer milliseconds;
}
[edit protocols]
NOTE: As of JUNOS Release 9.2, GVRP can be enabled only on trunk interfaces.
Description
When GVRP is configured on a trunk interface, it ensures that the VLAN membership
information on the trunk interface is updated as the switchs access interfaces become
active or inactive in the configured VLANs.
Default
Related Topics
GVRP is disabled by default.

show gvrp

page 490
gvrp
675
hello-time
Syntax
Hierarchy Level
hello-time seconds;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
rstp],
stp],
vstp vlan vlan-id]
Release Information

Description
the time interval at which the root bridge transmits configuration BPDUs.
Default
2 seconds
Options
secondsNumber of seconds between transmissions of configuration BPDUs.

Default: 2 seconds
Related Topics
676
hello-time



instance-type
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
instance-type virtual-router

Specify the type of routing instance.
virtual-routerA logical entity.


interface
Syntax
Hierarchy Level
Release Information
Description
Options

[edit ethernet-switching-options bpdu-block]

Apply BPDU protection to all interfaces or one or more interfaces.
allAll interfaces.
interface-name Name of a Gigabit Ethernet interface.

Related Topics




on page 574
instance-type
677
interface
Syntax
Hierarchy Level
Release Information
Description

<enable | disable>;
}
[edit protocols gvrp]

Configure GARP VLAN Registration Protocol (GVRP) for one or more interfaces.
Default
By default, GVRP is disabled.
Options
allAll interfaces.
interface-nameThe list of interfaces to be configured for GVRP.

Related Topics
678
interface

show gvrp
interface
Syntax
Hierarchy Level
Release Information
Description
Options

[edit ethernet-switching-options redundant-trunk-group group-name name]

Configure a primary link and secondary link on trunk ports. If the primary link fails,
the secondary link automatically takes over as the primary link without waiting for
normal STP convergence.
interface interface-nameA logical interface or an aggregated interface containing
multiple ports.
primary(Optional) Specify one of the interfaces in the redundant group as the
primary link. The interface without this option is the secondary link in the
redundant group. If a link is not specified as primary, the software compares the
two links and selects the link with the highest port number as the active link.
For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software
assigns ge-0/1/1 as the active link.
Related Topics

interface
679
interface
Syntax
Hierarchy Level
Release Information
Description

no-broadcast;
no-unknown-unicast;
}
[edit ethernet-switching-options storm-control]

Apply storm control to all interfaces or to the specified interface.
Default
Storm control is enabled on all switch interfaces at a level of 50 percent of the

Options
allApply storm control to all interfaces.

interface-nameApply storm control to the specified interface.

Related Topics
680
interface


interface
Syntax
Hierarchy Level
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols
mstp],
mstp msti],
rstp],
stp],
vstp vlan vlan-id]
Release Information

Description
an interface.
Options
interface-nameName of a Gigabit Ethernet interface.

Related Topics



interface
681
interface
Syntax
Hierarchy Level
Release Information
Description
Related Topics
682
interface
[edit ethernet-switching-options unknown-unicast-forwarding vlan(all|vlan-name)]

Specify the interface to which unknown unicast packets will be forwarded.
show vlans
interfaces
Syntax
Hierarchy Level
Release Information
no-mac-learning;
}
Description
Configure settings for interfaces that have been assigned to family ethernet-switching.
Options
interface-name --Name of an interface that is configured for family ethernet-switching.

Related Topics

join-timer
Syntax
Hierarchy Level
Release Information
Description
join-timer milliseconds;

For GARP VLAN Registration Protocol (GVRP), configure the maximum number of
milliseconds interfaces must wait before sending VLAN advertisements.
Default
20 milliseconds
Options
milliseconds Number of milliseconds.
Default: 20 milliseconds
Related Topics

show gvrp
interfaces
683
l3-interface
Syntax
Hierarchy Level
Release Information
Description

Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk
ports to allow the interface to transfer traffic between multiple VLANs. Within a
VLAN, traffic is bridged, while across VLANs, traffic is routed.
No Layer 3 (routing) interface is associated with the VLAN.
Options
vlan. logical-interface-number Number of the logical interface defined with a set

interfaces vlan unit command. For the logical interface number, use the same
number you configure in the unit statement.
Related Topics
Default
684
l3-interface

show vlans
483
leaveall-timer
Syntax
Hierarchy Level
Release Information
Description

For GARP VLAN Registration Protocol (GVRP), configure the interval at which Leave
All messages are sent on the interfaces. Leave All messages maintain current GVRP
VLAN membership information in the network. A Leave All message instructs the
port to change the GVRP state for all its VLANs to a leaving state and remove them
unless a Join message is received before the leave timer expires.
Default
1000 centiseconds
Options
milliseconds Number of milliseconds.

Range: 5 times leave-timer value
Default: 1000 centiseconds

Related Topics

show gvrp
leaveall-timer
685
leave-timer
Syntax
Hierarchy Level
Release Information
Description

For GARP VLAN Registration Protocol (GVRP), configure the number of milliseconds
an interface waits after receiving a leave message before the interface leaves the
VLAN specified in the message. If the interface receives a join message before the
timer expires, the software keeps the interface in the VLAN.
Default
60 centiseconds
Options
milliseconds Number of milliseconds. At a minimum, the leave timer interval should
be twice the join timer interval.

Default: 60 centiseconds
Related Topics

show gvrp
mac-limit
Syntax
Hierarchy Level
Release Information
Description

Configure the number of MAC addresses allowed on a VLAN.
MAC limit is disabled.
Options
numberMaximum number of MAC addresses.

Related Topics
Default
686
mac-limit number;
leave-timer

show vlans
483
Syntax
Hierarchy Level
[edit ethernet-switching-options],
Release Information

Statement updated in JUNOS Release 9.4 for EX Series switches to include [edit
ethernet-switching-options] hierarchy level.
Description
Define how long entries remain in the Ethernet switching table before expiring:
If you specify this statement at the [edit ethernet-switching-options] hierarchy

level, it applies to all VLANs on the switch.
If you specify this statement at the [edit vlans] hierarchy level, it applies to the
specified VLAN.
Default
Entries remain in the Ethernet switching table for 300 seconds
Options
secondsTime that entries remain in the Ethernet switching table before being
removed.

Related Topics
Range60 through 1,000,000 seconds
Default300 seconds

show ethernet-switching statistics aging
483
687
max-age
Syntax
Hierarchy Level
max-age seconds;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
rstp],
stp],
vstp vlan vlan-id]
Release Information

Description
the maximum age of received protocol BPDUs.
Default
20 seconds
Options
secondsThe maximum age of received protocol BPDUs.

Default: 20 seconds
Related Topics
688
max-age



max-hops
Syntax
Hierarchy Level
Release Information
Description
max-hops hops;

For Multiple Spanning Tree Protocol (MSTP), configure the maximum number of
hops a BPDU can be forwarded in the MSTP region.
Default
20 hops
Options
hops Number of hops the BPDU can be forwarded.
Range: 1 through 255 hops

Default: 20 hops
Related Topics


max-hops
689
members
Syntax
Hierarchy Level
Release Information
Description

vlan]

For trunk interfaces, configure the VLANs for which the interface can carry traffic.
Options
allSpecifies that this trunk interface is a member of all the VLANs that are configured
on this switch. When a new VLAN is configured on the switch, this trunk interface
automatically becomes a member of the VLAN.
NOTE: Each VLAN that is configured must have a specified VLAN ID when you attempt
to commit the configuration; otherwise, the configuration commit fails. Also, all
cannot be the name of a VLAN on the switch.
names Name of one or more VLANs.
vlan-ids Numeric identifier of one or more VLANs. For a series of tagged VLANs,
specify a range; for example, 10-20 or 10-20 23 27-30.
Related Topics
690
members

show vlans
483

mode
Syntax
Hierarchy Level
mode mode;
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols

Release Information

Description
the link mode to identify point-to-point links.
Default
For a full-duplex link, the default link mode is point-to-point. For a half-duplex link,
the default link mode is shared.
Options
modeLink mode:

Related Topics
point-to-pointLink is point to point.
sharedLink is shared media.



mode
691
msti
Syntax
Hierarchy Level
Release Information
Description
msti msti-id {
disable;
cost cost;
priority priority;
}
}

Configure the Multiple Spanning Tree Instance (MSTI) identifier for Multiple Spanning
Tree Protocol (MSTP). MSTI IDs are local to each region, so you can reuse the same
MSTI ID in different regions.
Default
MSTI is disabled.
Options
msti-id MSTI identifer.
Range: 1 through 4094. The Common Instance Spanning Tree (CIST) is always
MSTI 0.
Related Topics
692
msti


mstp
Syntax
Hierarchy Level
Release Information
Description
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
interface ( all | interface-name {
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
priority priority;
}
}
traceoptions {
no-world-readable>;
flag flag;
}
}
[edit protocols]

Configure Multiple Spanning Tree Protocol (MSTP). MSTP is defined in the IEEE
802.1Q-2003 specification and is used to create a loop-free topology in networks
with multiple spanning tree regions.
Default
MSTP is disabled.
mstp
693

Related Topics

native-vlan-id
Syntax
Hierarchy Level
Release Information
Description
Options
[edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching]

Configure the VLAN identifier to associate with untagged packets received on the
interface.
vlan-idNumeric identifier of the VLAN.

Related Topics

show vlans

694
native-vlan-id
no-broadcast
Syntax
Hierarchy Level
Release Information
no-broadcast;

Statement deprecated in JUNOS Release 9.4 for EX Series switches.
NOTE: If you configure this statement, it has no effect. This statement has been
deprecated and might be removed from future product releases.
Description
Default

Related Topics
For interfaces configured for storm control, disable broadcast traffic storm control
on the interface.
When storm control is enabled on an interface, it is enabled for both unknown unicast
traffic and broadcast traffic.

no-local-switching
Syntax
Hierarchy Level
Release Information
Description

Related Topics
no-local-switching

Specify that access ports in this VLAN domain do not forward packets to each other.
You use this statement with primary VLANs and isolated secondary VLANs.
no-broadcast
695
no-mac-learning
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
696
no-mac-learning
no-mac-learning;

Disables MAC address learning for the specified VLAN.
There are no options to this statement.
no-mac-learning
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
no-mac-learning;
[edit ethernet-switching-options interfaces interface-name]

Disable MAC address learning for the specified interface. Disabling MAC address
learning on an interface disables learning for all the VLANs of which that interface
is a member.
There are no options to this statement.
no-mac-learning
697
no-root-port
Syntax
Hierarchy Level
no-root-port;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols

Release Information

Description
Configure an interface to be a spanning tree designated port. If the bridge receives

superior STP bridge protocol data units (BPDUs) on a root-protected interface, that
interface transitions to a root-prevented STP state (inconsistency state) and the
interface is blocked. This blocking prevents a bridge that should not be the root bridge
from being elected the root bridge. When the bridge stops receiving superior STP
BPDUs on the root-protected interface, interface traffic is no longer blocked.

Related Topics
698
no-root-port




no-unknown-unicast
Syntax
Hierarchy Level
Release Information
no-unknown-unicast;

NOTE: If you configure this statement, it has no effect. This statement has been
deprecated and might be removed from future product releases.
Description
Default

Related Topics
For interfaces configured for storm control, disable unknown unicast traffic storm
control on the interface.
When storm control is enabled on an interface, it is enabled for both unknown unicast
traffic and broadcast traffic.

no-unknown-unicast
699
port-mode
Syntax
Hierarchy Level
Release Information
Description
port-mode mode;

Configure whether an interface on the switch operates in access or trunk mode.
Default
All switch interfaces are in access mode.
Options
accessHave the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices

such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Related Topics


700
port-mode
primary-vlan
Syntax
Hierarchy Level
primary-vlan vlan-name
Release Information

Description
Configure the primary VLAN for this community VLAN. The primary VLAN must be
tagged, and the community VLAN must be untagged.

Related Topics

primary-vlan
701
priority
Syntax
Hierarchy Level
priority priority;
[edit
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
protocols

Release Information

Description
the interface priority to control which interface is elected as the root port.
Default
The default value is 128.
Options
priorityInterface priority. The interface priority must be set in increments of 16.

Related Topics
702
priority



Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
group-name name {
}
}

Configure a primary link and secondary link on trunk ports. If the primary link fails,
the secondary link automatically takes over without waiting for normal STP
convergence.
routing-instances
Syntax
Hierarchy Level
Release Information
Description
Options
routing-instances routing-instance-name {
}
[edit]

Configure a virtual routing entity.
routing-instance-nameName for this routing instance.

Related Topics


703
rstp
Syntax
Hierarchy Level
Release Information
Description
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
[edit protocols]

Configure Rapid Spanning Tree Protocol (RSTP). RSTP is defined in the IEEE
802.1D-2004 specification and is used to prevent loops in Layer 2 networks, providing
shorter convergence times than those provided with basic STP.
Default
Related Topics
704
rstp
RSTP is enabled on all Ethernet switching interfaces.


storm-control
Syntax
Hierarchy Level
Release Information
Description
storm-control {
action-shutdown;
no-broadcast;
no-unknown-unicast;
}
}

Option action-shutdown introduced in JUNOS Release 9.6 for EX Series switches.
Apply storm control to all interfaces or to the specified interfaces.
Default
By default, storm control is enabled on all switch interfaces at a level of 50 percent

of the combined broadcast and unknown unicast streams. You can change the storm
control level either by configuring it as a bandwidth value for the combined broadcast
and unknown unicast traffic streams or by configuring it as a percentage of the
When you configure storm control bandwidth on an aggregated Ethernet interface,
each member of the aggregated Ethernet interface is set with that bandwidth. For
example, if you configure 15000 Kbps on ae1, and ae1 has two members, ge-0/0/0
and ge-0/0/1, each member is allowed a bandwidth level of 15000 Kbps. Thus, the
storm control bandwidth on ae1 could be up to 30000 Kbps of combined broadcast
and unknown unicast traffic streams.

Related Topics


storm-control
705
stp
Syntax
Hierarchy Level
Release Information
Description
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
[edit protocols]

When you explicitly configure STP, the EX Series switches use the IEEE 802.1D 2004
specification, force version 0. This configuration runs a version of RSTP that is
compatible with the classic, basic STP (defined in the IEEE 802.1D 1998 specification).
Default
Related Topics
706
stp
STP is disabled; by default, RSTP is enabled on all Ethernet switching ports.


traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file name <replace> <size size> <files number> <no-stamp>
<(world-readable | no-world-readable)>;
flag flag <flag-modifier> <disable>;
}
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
rstp],
stp],
vstp vlan vlan-id]

Set STP protocol-level tracing options.
Default
Traceoptions is disabled.
Options
disable(Optional) Disable the tracing operation. One use of this option is to disable
a single operation when you have defined a broad group of tracing operations,
such as all.
file name Name of the file to receive the output of the tracing operation. Enclose
the name in quotation marks. We recommend that you place STP tracing output
in the file /var/log/stp-log.
files number (Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file .0, then trace-file
.1, and so on, until the maximum number of trace files is reached. Then, the
oldest trace file is overwritten.

If you specify a maximum number of files, you must also specify a maximum file
size with the size option.
Range: 2 through 1000 files
Default: 1 trace file only
flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. These are the STP-specific tracing options:
all Trace all operations.
all-failuresTrace all failure conditions.
bpdu Trace BPDU reception and transmission.
bridge-detection-state-machine Trace the bridge detection state machine.
events Trace events of the protocol state machine.
port-information-state-machine Trace the port information state machine.
traceoptions
707
port-migration-state-machine Trace the port migration state machine.
port-receive-state-machine Trace the port receive state machine.
port-role-select-state-machine Trace the port role selection state machine.
port-role-transit-state-machine Trace the port role transit state machine.
port-transmit-state-machine Trace the port transmit state machine
port-state-transit-state-machine Trace the port state transit state machine.
ppmd Trace the state and events for the ppmd process
state-machine-variables Trace when the state machine variables change
timers Trace protocol timers
topology-change-state-machine Trace the topology change state machine.
The following are the global tracing options:
allAll tracing operations
config-internalTrace configuration internals.
generalTrace general events.
normalAll normal events.
Default: If you do not specify this option, only unusual or abnormal operations
are traced.
parseTrace configuration parsing.
policyTrace policy operations and actions.
regex-parseTrace regular-expression parsing.
routeTrace routing table changes.
stateTrace state transitions.
taskTrace protocol task processing.
timerTrace protocol task timer processing.
no-stamp(Optional) Do not place timestamp information at the beginning of each
line in the trace file.

Default: If you omit this option, timestamp information is placed at the beginning
of each line of the tracing output.
no-world-readable(Optional) Prevent any user from reading the log file.
708
traceoptions
replace(Optional) Replace an existing trace file if there is one.
Default: If you do not include this option, tracing output is appended to an

existing trace file.
size size (Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes
(MB). When a trace file named trace-file reaches this size, it is renamed trace-file
.0. When the trace-file again reaches its maximum size, trace-file .0 is renamed
trace-file .1 and trace-file is renamed trace-file .0. This renaming scheme
continues until the maximum number of trace files is reached. Then the oldest
trace file is overwritten.
If you specify a maximum file size, you must also specify a maximum number of
trace files with the files option.
Range: 10 KB through the maximum file size supported on your system
Default: 1 MB
world-readable(Optional) Allow any user to read the log file.
Related Topics



traceoptions
709
unknown-unicast-forwarding
Syntax
Hierarchy Level
Release Information
Description
vlan (all | vlan-name){
}
}

Configure the switch to forward all unknown unicast packets in a VLAN or on all
VLANs to a particular interface.
NOTE: Before you can configure unknown unicast forwarding within a VLAN, you
must first configure that VLAN.
Default
Related Topics
710
Unknown unicast packets are flooded to all interfaces that belong to the same VLAN.
show vlans
unknown-unicast-forwarding
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan {
}

For Gigabit Ethernet and aggregated Ethernet interfaces, bind an 802.1Q VLAN tag
ID to a logical interface.

Related Topics


page 490

vlan
711
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan (vlan-id | vlan-name) {

hello-time seconds;
block;
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
[edit protocols mstp msti msti-id],
[edit protocols vstp]

Configure the VLANs for a Multiple Spanning Tree Instance (MSTI).
Default
Not enabled.
Options
vlan-idNumeric VLAN identifier.

vlan-nameName of the VLAN.
712
vlan

Related Topics

vlan
Syntax
Hierarchy Level
Release Information
Description

}
[edit ethernet-switching-options unknown-unicast-forwarding]

Specify a VLAN from which unknown unicast packets will be forwarded or specify
that the packets will be forwarded from all VLANS. Unknown unicast packets are
forwarded from a VLAN to a specific trunk interface.
The interface statement is explained separately.
Options
allAll VLANs.
vlan-nameName of a VLAN.

Related Topics

show vlans
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on

page 561
vlan
713
vlan-id
Syntax
Hierarchy Level
Release Information
Description
vlan-id number;

Configure an 802.1Q tag to apply to all traffic that originates on the VLAN.
Default
If you use the default factory configuration, all traffic originating on the VLAN is
untagged and has a VLAN identifier of 0.
Options
number VLAN tag identifier.
Range: 0 through 4093.

Related Topics


page 490
vlan-range
Syntax
Hierarchy Level
Release Information
Description

Configure multiple VLANs. Each VLAN is assigned a VLAN ID number from the range.
Default
None.
Options
vlan-id-low-vlan-id-high Specify the first and last VLAN ID number for the group of
VLANs.
Related Topics
714
vlan-id

vlans
Syntax
Hierarchy Level
Release Information
Description
vlans {
vlan-name {
dot1q-tunneling {
}
}
mac-limit number;
no-local-switching;
no-mac-learning;
vlan-id number;
}
}
[edit]

Options dot1q-tunneling, no-local-switching, and primary-vlan introduced in JUNOS
Periods (.) in VLAN names introduced in JUNOS Release 9.4 for EX Series switches.
Option no-mac-learning introduced in JUNOS Release 9.5 for EX Series switches.
Option mapping introduced in JUNOS Release 9.6 for EX Series switches.
Configure VLAN properties on EX Series switches. The following configuration
guidelines apply:
Only private VLAN (PVLAN) firewall filters can be used when the VLAN is enabled
for Q-in-Q tunneling.
An S-VLAN tag is added to the packet if the VLAN is dot1q-tunneled and the
packet is arriving from an access interface.
You cannot use a firewall filter to assign a routed VLAN interface (RVI) to a VLAN.
VLAN assignments performed using a firewall filter override all other VLAN
assignments.
Default
If you use the default factory configuration, all switch interfaces become part of the
VLAN default.
Options
vlan-nameName of the VLAN. The name can contain letters, numbers, hyphens (-),
and periods (.) and can be up to 255 characters long.
vlans
715

Related Topics
716
vlans

Chapter 38
Operational Mode Commands for Bridging,

VLANs, and Spanning Trees
717

Syntax
Release Information
Description
Options
Related Topics

clear ethernet-switching
bpdu-error interface
ge-0/0/1.0
718
clear ethernet-switching bpdu-error interface interface-name

Clear bridge protocol data unit (BPDU) errors from an interface and unblock the
interface.
interface-name Clear BPDU errors on the specified interface.
clear
show spanning-tree statistics
on page 574
clear ethernet-switching bpdu-error interface ge-0/0/1.0 on page 718

user@switch> clear ethernet-switching bpdu-error interface ge-0/0/1.0
Chapter 38: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
clear gvrp statistics

Syntax
Release Information
Description
Related Topics


Clear GARP VLAN Registration Protocol (GVRP) statistics.
clear
clear gvrp statistics on page 719

user@switch> clear gvrp statistics
719
clear spanning-tree statistics

Syntax
Release Information
Description
Options

<interface interface-name unit logical-unit-number>;

Reset STP statistics for the all interfaces or a specified interface.
noneReset STP counters for all interfaces.
interface-name (Optional) The name of the interface for which statistics should be
reset.
logical-unit-number (Optional) The logical unit number of the interface.
Related Topics

Output Fields
clear spanning-tree
statistics
720
clear
clear spanning-tree statistics on page 720

This command produces no output.
user@switch> clear spanningtree statistics

Syntax
Release Information
Description
Options

<brief | detail | summary>
<interface interface-name>

In JUNOS Release 9.6 for EX Series switches, the following updates were made:
Blocking field output updated.
The default view updated to include information about 802.1Q-tags.
The detail view updated to include information VLAN mapping.
Display information about switched Ethernet interfaces.

none(Optional) Display brief information for Ethernet switching interfaces.
brief | detail | summary(Optional) Display the specified level of output.
interface interface-name(Optional) Display Ethernet switching information for a
specific interface.
Related Topics
view
show ethernet-switching mac-learning-log

show ethernet-switching interfaces on page 722

show ethernet-switching interfaces ge-0/0/15 brief on page 723
show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG
rtggroup) on page 723
show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP) on page 723
show ethernet-switching interfaces ge-0/0/17 detail (Disabled by
bpdu-control) on page 723
show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping) on page 723
Output Fields
Table 84 on page 721 lists the output fields for the show ethernet-switching interfaces
Table 84: show ethernet-switching interfaces Output Fields

Field Name
Field Description
Level of Output
Interface
Name of a switching interface.
All levels
State
Interface state. Values are up and down.
none, brief, detail,

summary
721
Table 84: show ethernet-switching interfaces Output Fields (continued)

Field Name
Field Description
Level of Output
VLAN members
Name of a VLAN.

summary
Tag
Number of the 802.1Q-tag.
All levels
Tagging
Specifies whether the interface forwards 802.1Q-tagged or untagged traffic.
All levels
Blocking
The forwarding state of the interface:

summary
unblockedTraffic is forwarded on the interface.
blockedTraffic is not being forwarded on the interface.
Disabled by bpdu controlThe interface is disabled due to receiving BPDUs

on a protected interface. If the disable-timeout statement has been included
in the BPDU configuration, the interface automatically returns to service

after the timer expires.
blocked by RTGThe specified redundant trunk group is disabled.
blocked by STPThe interface is disabled due to a spanning tree protocol
error.
MAC limit exceededThe interface is temporarily disabled due to a MAC
limiting error. The disabled interface is automatically restored to service

when the disable timeout expires.
MAC move limiting error. The disabled interface is automatically restored

to service when the disable timeout expires.
Storm control in effectThe interface is temporarily disabled due to a
storm control error. The disabled interface is automatically restored to

service when the disable timeout expires.
Index
The VLAN index internal to JUNOS Software.
detail
mapping
The C-VLAN to S-VLAN mapping information:
detail
dot1q-tunneledThe interface maps all traffic to the S-VLAN (all-in-one
bundling).
nativeThe interface maps untagged and priority tagged packets to the
S-VLAN.
pushThe interface maps packets to a firewall filter to an S-VLAN.
policy-mappedThe interface maps packets to a specifically defined
S-VLAN.
show ethernet-switching
interfaces
722
integerThe interface maps packets to the specified S-VLAN.

Interface
State
ae0.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
up
up
up
down
down
down
VLAN members
default
vlan300
default
default
default
default
Tag
300
Tagging
Blocking
untagged unblocked
untagged blocked by RTG (rtggroup)
blocked by STP
MAC limit exceeded
ge-0/0/7.0
ge-0/0/13.0
ge-0/0/14.0
down
up
up
ge-0/0/15.0
up
ge-0/0/16.0
ge-0/0/17.0
down
down
default
default
vlan100
vlan200
vlan100
vlan200
default
vlan100
vlan200
100
untagged
tagged
tagged
tagged
tagged
untagged
tagged
unblocked
unblocked
unblocked
unblocked
blocked by STP
blocked by STP
unblocked
Disabled by bpdu-control
200
tagged
100
200
100
200
interfaces ge-0/0/15
brief
user@switch> show ethernet-switching interfaces ge-0/0/15 brief

Interface
State VLAN members
Tag
Tagging
Blocking
interfaces ge-0/0/2
detail (Blocked by RTG
rtggroup)
user@switch> show ethernet-switching interfaces ge-0/0/2 detail
detail (Blocked by STP)
ge-0/0/15.0
up
vlan100
vlan200
100
200
tagged
tagged
blocked by STP
blocked by STP
Interface: ge-0/0/2.0, Index: 65, State: up, Port mode: Access

VLAN membership:
vlan300, 802.1Q Tag: 300, untagged, msti-id: 0, blocked by RTG(rtggroup)
Number of MACs learned on IFL: 0
Interface: ge-0/0/15.0, Index: 70, State: up, Port mode: Trunk

VLAN membership:
vlan100, 802.1Q Tag: 100, tagged, msti-id: 0, blocked by STP
detail (Disabled by
bpdu-control)
interfaces detail
(C-VLAN to S-VLAN
Mapping)
user@switch>show ethernet-switching interfaces ge-0/0/6.0 detail

VLAN membership:
map, 802.1Q Tag: 134, Mapped Tag: native, push, dot1q-tunneled, unblocked
map, 802.1Q Tag: 134, Mapped Tag: 20, push, dot1q-tunneled, unblocked
Interface: ge-0/0/17.0, Index: 71, State: down, Port mode: Trunk

VLAN membership:
vlan100, 802.1Q Tag: 100, tagged, msti-id: 1, Disabled by bpdu-control
723

Syntax
Release Information
Description
Related Topics

Output Fields

Displays the event log of learned MAC addresses.
view
483

page 490
show ethernet-switching mac-learning-log on page 724

Table 85 on page 724 lists the output fields for the show ethernet-switching
mac-learning-log command. Output fields are listed in the approximate order in which
they appear.
Table 85: show ethernet-switching mac-learning-log Output Fields

Field Name
Field Description
Date and Time
Timestamp when the MAC address was added or deleted from the log.
vlan_name
VLAN name. A value defined by the user for all user-configured VLANs.
MAC
Learned MAC address.
Deleted | Added
MAC address deleted or added to the MAC learning log.
Blocking
mac-learning-log
724
user@switch> show ethernet-switching mac-learning-log

Mon Feb 25 08:07:05 2008
vlan_name v1 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
vlan_name HR_vlan mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008

Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
vlan_name sales_vlan mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_name employee1 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_name employee2 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_name v3 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_name HR_vlan mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_name employee2 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_name employee1 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_name employee2 mac 00:00:05:00:00:05 was learned
Mon Feb 25 08:07:05 2008
vlan_name employee1 mac 00:30:48:90:54:89 was learned
Mon Feb 25 08:07:05 2008
vlan_name HR_vlan mac 00:00:5e:00:01:00 was learned
Mon Feb 25 08:07:05 2008
vlan_name sales_vlan mac 00:00:5e:00:01:08 was learned
[output truncated]
725

Syntax
Release Information
Description
Options

Display media access control (MAC) aging statistics.
none(Optional) Display MAC aging statistics.
brief | detail(Optional) Display the specified level of output.

Related Topics

Output Fields
view
show ethernet-switching statistics mac-learning
show ethernet-switching statistics aging on page 726

Table 86 on page 726 lists the output fields for the show ethernet-switching statistics
aging command. Output fields are listed in the approximate order in which they
appear.
Table 86: show ethernet-switching statistics aging Output Fields

Field Name
Field Description
Level of Output
Total age messages

received
Total number of aging messages received from the hardware.
All levels
Immediate aging
Aging message indicating that the entry should be removed immediately.
All levels
MAC address seen
Aging message indicating that the MAC address has been detected by hardware
and that the aging timer should be stopped.
All levels
MAC address not

seen
Aging message indicating that the MAC address has not been detected by the
hardware and that the aging timer should be started.
All levels
Error age messages
The received aging message contains the following errors:
All levels
Invalid VLANThe VLAN of the packet does not exist.
No such entryThe MAC address and VLAN pair provided by the aging
message does not exist.
Static entryAn unsuccessful attempt was made to age out a static MAC
entry.
statistics aging
user@switch> show ethernet-switching statistics aging

Total age messages received: 0
Immediate aging: 0, MAC address seen: 0, MAC address not seen: 0
726
Error age messages: 0

Invalid VLAN: 0, No such entry: 0, Static entry: 0
727

Syntax
Release Information
Description
Options

Display media access control (MAC) learning statistics.
none(Optional) Display MAC learning statistics for all interfaces.
interface interface-name (Optional) Display MAC learning statistics for the specified
interface.
Related Topics
Output Fields
view
483

page 490
show ethernet-switching statistics mac-learning on page 729

show ethernet-switching statistics mac-learning detail on page 729
show ethernet-switching statistics mac-learning interface ge-0/0/1 on page 730
Table 87 on page 728 lists the output fields for the show ethernet-switching statistics
mac-learning command. Output fields are listed in the approximate order in which
they appear.
Table 87: show ethernet-switching statistics mac-learning Output Fields

Field Name
Field Description
Level of Output
Interface
Name of the interface for which statistics are being reported.
All levels
Learning message
from local packets
MAC learning message generated due to packets coming in on the management

interface.
All levels
Learning message
from transit packets
MAC learning message generated due to packets coming in on network

interfaces.
All levels
728
Table 87: show ethernet-switching statistics mac-learning Output Fields (continued)

Field Name
Field Description
Level of Output
Learning message
with error
MAC learning messages received with errors:
All levels
Invalid VLANThe VLAN of the packet does not exist.
Invalid MACThe MAC address is either NULL or a multicast MAC address.
Security violationThe MAC address is not an allowed MAC address.
Interface downThe MAC address is learned on an interface that is down.
Incorrect membershipThe MAC address is learned on an interface that
is not a member of the VLAN.
Interface limitThe number of MAC addresses learned on the interface
has exceeded the limit.
MAC move limitThis MAC address has moved among multiple interfaces
too many times in a given interval.
VLAN limitThe number of MAC addresses learned on the VLAN has
exceeded the limit.
Invalid VLAN indexThe VLAN of the packet, while configured, does not
yet exist in the kernel.
Interface not learningThe MAC address is learned on an interface that
does not yet allow learningfor example, the interface is blocked.
No nexthopThe MAC address is learned on an interface that does not
have a unicast next hop.
MAC learning disabledThe MAC address is learned on an interface on
which MAC learning has been disabled.
statistics mac-learning
OthersThe message contains some other error.
user@switch> show ethernet-switching statistics mac-learning

Learning stats: 0 learn msg rcvd, 0 error
Interface
Local pkts
Transit pkts
ge-0/0/0.0
0
0
ge-0/0/1.0
0
0
ge-0/0/2.0
0
0
ge-0/0/3.0
0
0
detail
Error
0
0
0
0
user@switch> show ethernet-switching statistics mac-learning detail

Learning stats: 0 learn msg rcvd, 0 error
Interface: ge-0/0/0.0
Learning message from local packets:
0
Learning message from transit packets: 1
Learning message with error:
0
Invalid VLAN:
0
Invalid MAC:
Security violation:
0
Interface down:
Incorrect membership:
0
Interface limit:
MAC move limit:
0
VLAN limit:
Invalid VLAN index:
0
Interface not learning:
No nexthop:
0
MAC learning disabled:
Others:
0
0
0
0
0
0
0
Learning message from local packets:
0
Learning message from transit packets: 2
729
Learning message with error:

Invalid VLAN:
Security violation:
Incorrect membership:
MAC move limit:
Invalid VLAN index:
No nexthop:
Others:
interface ge-0/0/1
730
0
0
0
0
0
0
0
0
Invalid MAC:
Interface down:
Interface limit:
VLAN limit:
Interface not learning:
MAC learning disabled:
0
0
0
0
0
0
user@switch> show ethernet-switching statistics mac-learning interface ge-0/0/1

Interface
Local pkts
Transit pkts
Error
ge-0/0/1.0
0
1
1

Syntax
Release Information
Description
Options

<brief | detail | extensive | summary>
<management-vlan>
<vlan (vlan-name)>

Options summary, management-vlan, and vlan vlan-name introduced in JUNOS Release
Displays the Ethernet switching table.
none(Optional) Display brief information about the Ethernet switching table.
brief | detail | extensive | summary(Optional) Display the specified level of output.
management-vlan(Optional) Display the Ethernet switching table for a management
VLAN.
interface-name(Optional) Display the Ethernet switching table for a specific interface.
vlan vlan-name(Optional) Display the Ethernet switching table for a specific VLAN.
Related Topics
Output Fields
view
483

page 490
show
show
show
show
show
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
table
table
table
table
table
on page 732
brief on page 732
detail on page 733
interface ge-0/0/1 on page 736
Table 88 on page 731 lists the output fields for the show ethernet-switching table
Table 88: show ethernet-switching table Output Fields

Field Name
Field Description
Level of Output
VLAN
The name of a VLAN.
All levels
MAC address
The MAC address associated with the VLAN.
All levels
731
Table 88: show ethernet-switching table Output Fields (continued)

Field Name
Field Description
Level of Output
Type
All levels
learnThe MAC address is learned dynamically from a packet's source
MAC address.
Age
The time remaining before the entry ages out and is removed from the Ethernet
switching table.
All levels
Interfaces
Interface associated with learned MAC addresses or All-members (flood entry).
All levels
Learned
For learned entries, the time which the entry was added to the
Ethernet-switching table.
detail, extensive
table
table brief
732

VLAN
MAC address
Type
F2
*
Flood
F2
00:00:05:00:00:03 Learn
F2
00:19:e2:50:7d:e0 Static
Linux
*
Flood
Linux
00:19:e2:50:7d:e0 Static
Linux
00:30:48:90:54:89 Learn
T1
*
Flood
T1
00:00:05:00:00:01 Learn
T1
00:00:5e:00:01:00 Static
T1
00:19:e2:50:63:e0 Learn
T1
00:19:e2:50:7d:e0 Static
T10
*
Flood
T10
00:00:5e:00:01:09 Static
T10
00:19:e2:50:63:e0 Learn
T10
00:19:e2:50:7d:e0 Static
T111
*
Flood
T111
00:19:e2:50:63:e0 Learn
T111
00:19:e2:50:7d:e0 Static
T111
00:19:e2:50:ac:00 Learn
T2
*
Flood
T2
00:00:5e:00:01:01 Static
T2
00:19:e2:50:63:e0 Learn
T2
00:19:e2:50:7d:e0 Static
T3
*
Flood
T3
00:00:5e:00:01:02 Static
T3
00:19:e2:50:63:e0 Learn
T3
00:19:e2:50:7d:e0 Static
T4
*
Flood
T4
00:00:5e:00:01:03 Static
T4
00:19:e2:50:63:e0 Learn
[output truncated]
user@switch> show ethernet-switching table brief
VLAN
MAC address
Type
F2
*
Flood
Age
0
0
0
0
0
0
0
0
0
0
Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Age Interfaces
- All-members
F2
F2
Linux
Linux
Linux
T1
T1
T1
T1
T1
T10
T10
T10
T10
T111
T111
T111
T111
T2
T2
T2
T2
T3
T3
T3
T3
T4
T4
T4
[output truncated]
table detail
00:00:05:00:00:03
00:19:e2:50:7d:e0
*
00:19:e2:50:7d:e0
00:30:48:90:54:89
*
00:00:05:00:00:01
00:00:5e:00:01:00
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:09
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
00:19:e2:50:ac:00
*
00:00:5e:00:01:01
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:02
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:03
00:19:e2:50:63:e0
Learn
Static
Flood
Static
Learn
Flood
Learn
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Learn
Static
Learn
Flood
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Static
Learn
0
0
0
0
0
0
0
0
0
0
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
user@switch> show ethernet-switching table detail

F2, *
Interface(s): ge-0/0/44.0
Type: Flood
Nexthop index: 0
F2, 00:00:05:00:00:03
Type: Learn, Age: 0, Learned: 2:03:09
Nexthop index: 0
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Nexthop index: 0
Linux, *
Type: Flood
Nexthop index: 0
Linux, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, 00:30:48:90:54:89
733
Nexthop index: 0
T1, *
Type: Flood
Nexthop index: 0
T1, 00:00:05:00:00:01
Nexthop index: 0
T1, 00:00:5e:00:01:00
Type: Static
Nexthop index: 0
T1, 00:19:e2:50:63:e0
Nexthop index: 0
T1, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T10, *
Type: Flood
Nexthop index: 0
T10, 00:00:5e:00:01:09
Type: Static
Nexthop index: 0
T10, 00:19:e2:50:63:e0
Nexthop index: 0
T10, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T111, *
Type: Flood
Nexthop index: 0
[output truncated]
table extensive
user@switch> show ethernet-switching table extensive

F2, *
Type: Flood
Nexthop index: 0
F2, 00:00:05:00:00:03
734
Nexthop index: 0
F2, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, *
Type: Flood
Nexthop index: 0
Linux, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, 00:30:48:90:54:89
Nexthop index: 0
T1, *
Type: Flood
Nexthop index: 0
T1, 00:00:05:00:00:01
Nexthop index: 0
T1, 00:00:5e:00:01:00
Type: Static
Nexthop index: 0
T1, 00:19:e2:50:63:e0
Nexthop index: 0
T1, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T10, *
Type: Flood
Nexthop index: 0
T10, 00:00:5e:00:01:09
Type: Static
Nexthop index: 0
T10, 00:19:e2:50:63:e0
735

Nexthop index: 0
T10, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T111, *
Type: Flood
Nexthop index: 0
[output truncated]
table interface ge-0/0/1
736
user@switch> show ethernet-switching table interface ge-0/0/1

VLAN
MAC address
Type
Age Interfaces
V1
*
Flood
- All-members
V1
00:00:05:00:00:05 Learn
0 ge-0/0/1.0
show gvrp
Syntax
Release Information
Description
Options
show gvrp

Display GARP VLAN Registration Protocol (GVRP) information.
noneDisplays all GVRP configuration attributes.
interface interface-name (Optional) Displays GVRP statistics for a specific interface
only.
Related Topics

Output Fields
view
show gvrp statistics
show gvrp on page 737

Table 89 on page 737 lists the output fields for the show gvrp command. Output fields
are listed in the approximate order in which they appear.
Table 89: show gvrp Output Fields

Field Name
Field Description
Global GVRP
Configuration
Displays global GVRP information:
GVRP statusDisplays whether GVRP is enabledor disabled.
JoinThe maximum number of milliseconds the interfaces must wait before sending VLAN
advertisements.
Leave The number of milliseconds an interface must wait after receiving a Leave message
to remove the interface from the VLAN specified in the message.
LeaveallThe interval at which Leave All messages are sent on interfaces. Leave all messages
maintain current GVRP VLAN membership information in the network.

Interface based
configuration
Displays interface-specific GVRP information:
InterfaceThe interface on which GVRP is configured..
GVRP statusDisplays whether GVRP is enabled or disabled.
show gvrp
user@switch> show gvrp

GVRP status
: Enabled
GVRP timers (ms)
Join
: 40
Leave
: 120
Leaveall
: 2000
show gvrp
737
Interface based configuration:

Interface GVRP status
---------- ----------ge-0/0/0.0 Enabled
738
show gvrp

Syntax
Release Information
Description

Related Topics

Output Fields

Display Generic VLAN Registration Protocol (GVRP) statistics in the form of GARP
Information Propagation (GIP) messages.
clear
show gvrp
show gvrp statistics on page 740

Table 90 on page 739 lists the output fields for the show gvrp statistics command.
Table 90: show gvrp statistics Output Fields

Field Name
Field Description
Join Empty received
Number of GIP Join Empty messages received on the switch.
Join In received
Number of GIP Join In messages received on the switch.
Empty received
Number of GIP Empty messages received on the switch.
Leave In received
Number of GIP Leave In messages received on the switch.
Leave Empty received
Number of GIP Leave Empty messages received on the switch.
Leave All received
Number of GIP Leave All messages received on the switch.
Join Empty
transmitted
Number of GIP Join Empty messages sent from the switch.
Join In transmitted
Number of GIP Join In messages sent from the switch.
Empty transmitted
Number of GIP Empty messages sent from the switch.
Leave In transmitted
Number of GIP Leave In messages sent from the switch.
Leave Empty
transmitted
Number of GIP Leave Empty messages sent from the switch.
Leave All transmitted
Number of GIP Leave All messages sent from the switch.
739
740
user@switch> show gvrp statistics

GVRP statistics
Join Empty received
:
Join In received
:
Empty received
:
Leave In received
:
Leave Empty received
:
Leave All received
:
Join Empty transmitted
:
Join In transmitted
:
Empty transmitted
:
Leave In transmitted
:
Leave Empty transmitted
:
Leave All transmitted
:
0
12
0
0
0
0
0
48
4
0
0
4
show redundant-trunk-group
Syntax
Release Information
Description
Options
show redundant-trunk-group <group-name group-name>

Display information about redundant trunk groups.
group-name group-nameDisplay information about the specified redundant trunk
group.
Related Topics

Output Fields
view
show redundant-trunk-group group-name Group1 on page 741

Table 91 on page 741 lists the output fields for the show redundant-trunk-group
Table 91: show redundant-trunk-group Output Fields

Field Name
Field Description
Group Name
Name of the redundant trunk port group.
Interface
Name of an interface belonging to the trunk port group.
(P) denotes a primary interface.
(A) denotes an active interface.
Lack of (A) denotes a blocking interface.
State
Operating state of the interface: UP or DOWN.
Last Time of Flap
Date and time at which the advertised link became unavailable, and then, available again.
# Flaps
Total number of flaps since the last switch reboot.
show
group-name Group1
user@switch> show redundanttrunk-group group-name Group1

show redundant-trunk-group group-name Group1
Group Name Interface
Group1
ge-0/0/45.0 (P)
ge-0/0/47.0
State
UP
UP
Last Time of Flap

Fri Jan 2 04:10:58
Fri Jan 2 04:10:58
# Flaps
0
0
show redundant-trunk-group
741

Syntax
Release Information

<brief | detail>
<msti msti-id>
<vlan vlan-id>
Description
Display the configured or calculated spanning-tree protocol (can be either STP, RSTP,
or MSTP) parameters.
Options
none(Optional) Display brief STP bridge information for all Multiple Spanning Tree
Instances (MSTIs).
msti msti-id(Optional) Display STP bridge information for the specified MSTP instance
ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a
value from 1 through 4094 for an MSTI.
vlan vlan-id(Optional) Display STP bridge information for the specified VLAN. Specify
a VLAN tag identifier from 1 through 4094.
Related Topics
Output Fields
view

show spanning-tree bridge on page 743

show spanning-tree bridge brief on page 744
show spanning-tree bridge detail on page 744
Table 92 on page 742 lists the output fields for the show spanning-tree bridge command.
Table 92: show spanning-tree bridge Output Fields
742
Field Name
Field Description
Context ID
Enabled protocol
Spanning-tree protocol type enabled.
Table 92: show spanning-tree bridge Output Fields (continued)
show spanning-tree
bridge
Field Name
Field Description
Root ID
Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a
configurable bridge priority and the MAC address of the bridge.
Root cost
Calculated cost to reach the root bridge from the bridge where the command
is entered.
Root port
Interface that is the current elected root port for this bridge.
CIST regional root
Bridge ID of the elected MSTP regional root bridge.
CIST internal root

cost
Calculated cost to reach the regional root bridge from the bridge where the
command is entered.
Hello time
Configured number of seconds between transmissions of configuration BPDUs.
Maximum age
Maximum age of received protocol BPDUs.
Forward delay
Configured time an STP bridge port remains in the listening and learning states
before transitioning to the forwarding state.
Hop count
Configured maximum number of hops a BPDU can be forwarded in the MSTP

region.
Message age
Number of seconds elapsed since the most recent BPDU was received.
Number of topology
changes
Total number of STP topology changes detected since the switch last booted.
Time since last

topology change
Number of seconds elapsed since the most recent topology change.
Bridge ID (Local)
Locally configured bridge ID. The bridge ID consists of a configurable bridge

priority and the MAC address of the bridge.
Extended system ID
Internally generated system identifier.
MSTI regional root
Bridge ID of the elected MSTP regional root bridge.
Path Cost Method
Bridges supporting 802.1D (legacy) implement only 16-bit values for path cost.
Newer versions of this standard support 32-bit values.
user@switch> show spanning-tree bridge

Context ID
: 0
Enabled protocol
: MSTP
Root ID
: 8192.00:19:e2:50:51:e0
Root cost
: 0
Root port
: ge-0/0/13.0
743
CIST regional root

: 8192.00:19:e2:50:51:e0
: 2000
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Hop count
: 18
Message age
: 0
: 3
: 921 seconds
Local parameters
Bridge ID
: 16384.00:19:e2:50:44:e0
Extended system ID
: 0
: 0
MSTI regional root
: 4097.00:19:e2:50:51:e0
Root cost
: 2000
Root port
: ge-0/0/13.0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Hop count
: 18
Local parameters
Bridge ID
: 16385.00:19:e2:50:44:e0
Extended system ID
: 0
: 1
MSTI regional root
: 4098.00:19:e2:50:3d:20
Root cost
: 1000
Root port
: ge-0/0/9.0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Hop count
: 19
Local parameters
Bridge ID
: 8194.00:19:e2:50:44:e0
Extended system ID
: 0
: 2
show spanning-tree
bridge brief
user@switch> show spanning-tree bridge brief

Context ID
: 0
Enabled protocol
: RSTP
Root ID
: 32768.00:19:e2:50:95:a0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Message age
: 0
: 0
Local parameters
Bridge ID
: 32768.00:19:e2:50:95:a0
Extended system ID
: 0
: 0
show spanning-tree
bridge detail
user@switch> show spanning-tree bridge detail

Context ID
: 0
Enabled protocol
: RSTP
744
Root ID
: 32768.00:19:e2:50:95:a0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Message age
: 0
: 0
Local parameters
Bridge ID
: 32768.00:19:e2:50:95:a0
Extended system ID
: 0
: 0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Path cost method
: 32 bit
745

Syntax
Release Information
Description
Options

<brief | detail>
<interface-name interface-name>
<msti msti-id>
<vlan-id vlan-id>

Display the configured or calculated interface-level spanning-tree protocol (can be
either STP, RSTP, or MSTP) parameters. In brief mode, will not display interfaces that
are administratively disabled or do not have a physical link.
none(Optional) Display brief STP interface information.
interface-name interface-name(Optional) Name of an interface.
msti msti-id(Optional) Display STP bridge information for the specified MSTP instance
ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a
value from 1 through 4094 for an MSTI.
vlan-id vlan-id(Optional) For MSTP interfaces, display interface information for the
specified VLAN. Specify a value from 0 through 4094.

Related Topics
Output Fields
746
view

show
show
show
show
spanning-tree
spanning-tree
spanning-tree
spanning-tree
interface
interface
interface
interface
on page 747
brief on page 748
detail on page 748
ge-1/0/0 on page 749
Table 93 on page 747 lists the output fields for the show spanning-tree Interface
Table 93: show spanning-tree interface Output Fields

Field Name
Field Description
Interface name
Interface configured to participate in the STP, RSTP, or MSTP instance.
Port ID
Logical interface identifier configured to participate in the MSTP instance.
Designated port ID
Port ID of the designated port for the LAN segment this interface is attached to.
Designated bridge ID
Bridge ID of the designated bridge for the LAN segment this interface is attached to.
Port Cost
Configured cost for the interface.
Port State
STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.
Port Role
MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root.
Link type
MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge.
Alternate
Identifies the interface as an MSTP or RSTP alternate root port (yes) or nonalternate
root port (no).
Boundary Port
Identifies the interface as an MSTP regional boundary port (yes) or nonboundary port
(no).
show spanning-tree
interface
user@switch> show spanning-tree interface

Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0
Port ID
128:513
128:515
128:517
128:536
Designated Designated
port ID
bridge ID
128:513
8192.0019e2500340
128:515
8192.0019e2500340
128:517
8192.0019e2500340
128:536
8192.0019e2500340
Port
Cost
1000
1000
1000
1000
State
Role
FWD
BLK
FWD
FWD
DESG
DIS
DESG
DESG
Port
Cost
1000
1000
1000
1000
State
Role
FWD
BLK
FWD
FWD
DESG
DIS
DESG
DESG

Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0
Port ID
128:513
128:515
128:517
128:536
port ID
bridge ID
128:513
8193.0019e2500340
128:515
8193.0019e2500340
128:517
8193.0019e2500340
128:536
8193.0019e2500340

Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0
Port ID
128:513
128:515
128:517
128:536
Port
State Role
port ID
bridge ID
Cost
128:1
8194.001b549fd000 1000 FWD
ROOT
128:515 32770.0019e2500340 4000 BLK
DIS
128:1
16386.001b54013080 1000 BLK
ALT
128:536 32770.0019e2500340 1000 FWD
DESG
747
show spanning-tree
interface brief
user@switch> show spanning-tree interface brief

Interface
Port ID
port ID
bridge ID Cost
ge-1/0/0.0 128:625 128:625 32768.0019e25095a0
ge-1/0/1.0 128:626 128:626 32768.0019e25095a0
ge-1/0/2.0 128:627 128:627 32768.0019e25095a0
ge-1/0/10.0 128:635 128:635 32768.0019e25095a0
ge-1/0/20.0 128:645 128:645 32768.0019e25095a0
ge-1/0/30.0 128:655 128:655 32768.0019e25095a0
show spanning-tree
interface detail
Interface name
: ge-1/0/1.0
Port identifier
: 128.626
Designated port ID
: 128.626
Port cost
: 20000
Port state
: Blocking
: 32768.00:19:e2:50:95:a0
Port role
: Disabled
Link type
: Pt-Pt/NONEDGE
Boundary port
: NA
Interface name
: ge-1/0/2.0
Port identifier
: 128.627
Designated port ID
: 128.627
Port cost
: 20000
Port state
: Blocking
: 32768.00:19:e2:50:95:a0
Port role
: Disabled
Link type
: Pt-Pt/NONEDGE
Boundary port
: NA
Interface name
: ge-1/0/10.0
Port identifier
: 128.635
Designated port ID
: 128.635
Port cost
: 20000
Port state
: Blocking
: 32768.00:19:e2:50:95:a0
Port role
: Disabled
Link type
: Pt-Pt/NONEDGE
Boundary port
: NA
Interface name
: ge-1/0/20.0
Port identifier
: 128.645
Designated port ID
: 128.645
Port cost
: 20000
Port state
: Blocking
: 32768.00:19:e2:50:95:a0
20000
20000
20000
20000
20000
20000
user@switch> show spanning-tree interface detail

Interface name
: ge-1/0/0.0
Port identifier
: 128.625
Designated port ID
: 128.625
Port cost
: 20000
Port state
: Blocking
: 32768.00:19:e2:50:95:a0
Port role
: Disabled
Link type
: Pt-Pt/EDGE
Boundary port
: NA
748
Port
State
BLK
BLK
BLK
BLK
BLK
BLK
DIS
DIS
DIS
DIS
DIS
DIS
Role
Port role
: Disabled
Link type
: Pt-Pt/NONEDGE
Boundary port
: NA
[output truncated]
show spanning-tree
interface ge-1/0/0
user@switch> show spanning-tree interface ge-1/0/0

Interface
Port ID
Port
State Role
port ID
bridge ID Cost
ge-1/0/0.0 128:625 128:625 32768.0019e25095a0 20000 BLK
DIS
749
show spanning-tree mstp configuration

Syntax
Release Information
Description
Options

<brief | detail>

Display the MSTP configuration.
noneDisplay MSTP configuration information.

Output Fields
view
show spanning-tree mstp configuration on page 750
Table 94 on page 750 lists the output fields for the show spanning-tree mstp configuration
Table 94: show spanning-tree mstp configuration Output Fields

Field Name
Field Description
Context identifier
Internally generated identifier.
Region name
MSTP region name carried in the MSTP BPDUs.
Revision
Revision number of the MSTP configuration.
Configuration digest
Numerical value derived from the VLAN-to-instance mapping table.
MSTI
MSTI instance identifier.
Member VLANs
Identifiers for VLANs associated with the MSTI.
show spanning-tree
mstp configuration
user@host> show spanning-tree mstp configuration

MSTP configuration information
Context identifier
: 0
Region name
: region1
Revision
: 0
Configuration digest
: 0xc92e7af9febb44d8df928b87f16b
MSTI
Member VLANs
0 0-100,105-4094
1 101-102
2 103-104
750

Syntax
Release Information
Description
Options

<brief | detail>

Display STP statistics.
noneDisplay brief STP statistics.

Related Topics

Output Fields
view

show spanning-tree statistics interface on page 751

Table 95 on page 751 lists the output fields for the show spanning-tree statistics
Table 95: show spanning-tree statistics Output Fields

Field Name
Field Description
BPDUs sent
Total number of BPDUs sent.
BPDUs received
Total number of BPDUs received.
Interface
Interface for which the statistics are being displayed.
Next BPDU transmission
Number of seconds until the next BPDU is scheduled to be sent.
show spanning-tree
statistics interface
user@switch> show spanning-tree statistics interface ge-0/0/4

Interface
BPDUs sent
BPDUs received Next BPDU
transmission
ge-0/0/4
7
190
0
751
show vlans
Syntax
Release Information
Description
show vlans
<brief | detail | extensive>
<dot1q-tunneling>
<sort-by (tag | name)>
<vlan-range-name>

Command modified in JUNOS Release 9.2 for EX Series switches to display support
for MAC-based VLANs and sort-by (tag | name) and vlan-range-name options.
Command modified in JUNOS Release 9.4 for EX Series switches to display whether
MAC learning is disabled on a VLAN.
Display information about VLANs configured on bridged Ethernet interfaces. For
interfaces configured to support a VoIP VLAN and a data VLAN, the show vlans
command displays both tagged and untagged membership for those VLANs.
NOTE: When a series of VLANs is created using the vlan-range statement, such VLAN
names are prefixed and suffixed with a double underscore. For example, a series of
VLANs using the VLAN range 13 and the base VLAN name marketing would be
displayed as __marketing_1__, __marketing_2__, and __marketing_3__.
NOTE: To display an 802.1X supplicant successfully authenticated in

multiple-supplicant mode with dynamic VLAN movement, use the show vlans
vlan-name extensive operational mode command, where vlan-name is the dynamic
VLAN.
Options
noneDisplay information for all VLANs. VLAN information is displayed by VLAN
name in ascending order.

brief | detail | extensive(Optional) Display the specified level of output.
dot1q-tunneling(Optional) Display VLANs with the Q-in-Q tunneling feature enabled.
sort-by (tag | name)(Optional) Display VLANs in ascending order of VLAN IDs or
VLAN names.
vlan-range-name(Optional) Display VLANs in ascending order of VLAN-range names.
Related Topics
752
show vlans
view
483
Output Fields

page 490
show
show
show
show
show
show
show
show
vlans
vlans
vlans
vlans
vlans
vlans
vlans
vlans
on page 754
brief on page 755
detail on page 755
extensive (MAC-based) on page 756
extensive (Port-based) on page 756
sort-by tag on page 757
sort-by employee (vlan-range-name) on page 758
employee (vlan-range-name) on page 758
Table 96 on page 753 lists the output fields for the show vlans command. Output fields
Table 96: show vlans Output Fields

Field Name
Field Description
Level of Output
Name
Name of a VLAN.
none, brief
Tag
The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied.
All levels
Interfaces
Interface associated with learned MAC addresses or all-members (flood entry).

An asterisk (*) beside the interface indicates that the interface is UP.
All levels
Address
The IP address.
none, brief
Ports Active / Total
The number of interfaces associated with a VLAN. The Active column indicates
interfaces that are UP, and the Total column indicates interfaces that are active
and inactive.
brief
VLAN
Name of a VLAN.
detail, extensive
Admin state
Indicates whether the physical link is operational and can pass packets.
detail, extensive
Dot1q Tunneling
Status
Indicates whether Q-in-Q Tunneling is enabled.
detail, extensive
MAC learning Status
Indicates whether MAC learning is disabled.
detail, extensive
Description
A description for the VLAN.
detail,extensive
Primary IP
Primary IP address associated with a VLAN.
detail
Number of interfaces
The number of interfaces associated with a VLAN. Both the total number of
interfaces and the number of active interfaces associated with a VLAN are
displayed.
detail, extensive
show vlans
753
Table 96: show vlans Output Fields (continued)

Field Name
Field Description
Level of Output
STP
The spanning tree associated with a VLAN.
detail, extensive
RTG
The redundant trunk group associated with a VLAN.
detail, extensive
Tagged interfaces
The tagged interfaces to which a VLAN is associated.
detail, extensive
Untagged interfaces
The untagged interfaces to which a VLAN is associated.
detail. extensive
Customer VLAN
Ranges
Lists the customer VLAN (C-VLAN) ranges associated with this service VLAN
(S-VLAN).
extensive
Private VLAN Mode
The private VLAN mode for this VLAN. Values are Primary, Isolated, and
Community.
extensive
Primary VLAN
The primary VLAN tag for this secondary VLAN.
extensive
Interrnal Index
VLAN index internal to JUNOS Software.
extensive
Origin
The manner in which the VLAN was created. Values are static and learn.
extensive
Protocol
Port-based VLAN or MAC-based VLAN. MAC-based protocol is displayed when

VLAN assignment is done either statically or dynamically through 802.1X,
extensive
IP addresses
IP address associated with a VLAN.
extensive
Number of MAC
entries
For MAC-based VLANs created either statically or dynamically, the MAC

addresses associated with an interface.
extensive
Secondary VLANs
The secondary VLANs associated with a primary VLAN.
extensive
Isolated VLANs
The isolated VLANs associated with a primary VLAN.
extensive
Community VLANs
The community VLANs associated with a primary VLAN.
extensive
show vlans
user@switch>
Name
default
show vlans
Tag
None
Interfaces
ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0,
ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0,
ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0,
ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0
v0001
v0002
v0003
v0004
ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0

None
None
None
754
show vlans
v0005
5
None
show vlans brief
user@switch> show vlans brief

Name
default
v0001
v0002
v0003
v0004
v0005
v0006
v0007
v0008
v0009
v0010
v0011
v0012
v0013
v0014
v0015
v0016
show vlans detail
Tag
None
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Address
Ports
Active/Total
0/23
0/4
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/2
0/0
0/0
0/0
0/0
0/0
0/0
user@switch> show vlans detail

VLAN: default, Tag: Untagged, Admin state: Enabled
Description: None
Primary IP: None, Number of interfaces: 23 (Active = 0)
STP: None, RTG: None
Untagged interfaces: ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0,
ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0,
ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0,
Tagged interfaces: None
VLAN: v0001, Tag: 802.1Q Tag 1, Admin state: Enabled
Description: None
Untagged interfaces: None
Tagged interfaces: ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0,
Description: None
Description: None
VLAN: vlan4000, 802.1Q Tag: Untagged, Admin State: Enabled
MAC learning Status: Disabled
Number of interfaces: 0 (Active = 0)
show vlans
755
show vlans extensive

(MAC-based)
user@switch> show vlans extensive

VLAN: default, Created at: Thu May 15 13:43:09 2008
Protocol: Port Mode
ge-0/0/0.0*, untagged, access
ge-0/0/14.0*, untagged, access
VLAN: vlan_dyn, Created at: Thu May 15 13:43:09 2008
Protocol: Port Mode
Protocol: MAC Based
Number of MAC entries: 6
ge-0/0/0.0*
00:00:00:00:00:02 (untagged)
00:00:00:00:00:03 (untagged)
00:00:00:00:00:04 (untagged)
00:00:00:00:00:05 (untagged)
00:00:00:00:00:06 (untagged)
00:00:00:00:00:07 (untagged)
show vlans extensive

(Port-based)
user@switch> show vlans extensive

VLAN: default, created at Mon Feb 4 12:13:47 2008
Tag: None, Internal index: 0, Admin state: Enabled, Origin: static
Description: None
1-4100
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
ge-0/0/34.0 (untagged, access)
Secondary VLANs: Isolated 1, Community
Isolated VLANs :
756
show vlans
Community VLANs :
comm1
VLAN: v0001, created at Mon Feb 4 12:13:47 2008
Tag: 1, Internal index: 1, Admin state: Enabled, Origin: static
Description: None
IP addresses: None
ge-0/0/24.0 (tagged, trunk)
Description: None
IP addresses: None
None
Description: None
IP addresses: None
None
show vlans sort-by tag
user@switch> show vlans sort-by tag

Name
Tag
Interfaces
default
None
__vlan-x_1__
1
None
__vlan-x_2__
2
None
__vlan-x_3__
3
None
__vlan-x_4__
4
None
__vlan-x_5__
5
None
__vlan-x_6__
6
None
__vlan-x_7__
7
None
__vlan-x_8__
8
None
__vlan-x_9__
9
None
__vlan-x_10__ 10
None
__vlan-x_11__ 11
None
__vlan-x_12__ 12
None
__vlan-x_13__ 13
show vlans
757
None
__vlan-x_14__
14
__vlan-x_15__
15
__vlan-x_16__
16
__vlan-x_17__
17
__vlan-x_18__
18
__vlan-x_19__
19
__vlan-x_20__
20
None
None
None
None
None
None
None
show vlans sort-by

employee
(vlan-range-name)
user@switch> show vlans sort-by employee

Name
Tag
Interfaces
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
show vlans employee

(vlan-range-name)
user@switch> show vlans employee

Name
Tag
Interfaces
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
758
show vlans
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
show vlans
759
760
show vlans
Part 9
Layer 3 Protocols
Understanding Layer 3 Protocols on page 763
Examples of Configuring Layer 3 Protocols on page 767
Configuring Layer 3 Protocols on page 771
Verifying Layer 3 Protocols on page 783
Layer 3 Protocols
761
762
Layer 3 Protocols
Chapter 39
Understanding Layer 3 Protocols
DHCP/BOOTP Relay for EX Series Switches Overview on page 764
Understanding IP Directed Broadcast for EX Series Switches on page 765
DHCP Services for EX Series Switches Overview

A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP
addresses and also deliver configuration settings to client hosts on a subnet.
DHCP is particularly useful for managing a pool of IP addresses among hosts. An IP
address can be leased to a host for a limited period of time, allowing the DHCP server
to share a limited number of IP addresses among a group of hosts that do not need
permanent IP addresses.
DHCP, through the use of the automatic software download feature, can also be used
to install software packages on Juniper Networks EX Series Ethernet Switches. Users
can define a path to a software package on the DHCP server, and then the DHCP
server communicates this path to EX Series switches acting as DHCP clients as part
of the DHCP message exchange process. The DHCP clients that have been configured
for automatic software download receive these messages and, when the software
package name in the DHCP server message is different from that of the software
package that booted the DHCP client switch, download and install the software
package. See Upgrading Software Using Automatic Software Download on EX Series
Switches on page 100.
To configure DHCP access service for an EX Series switch, you can use either the
JUNOS command line interface (CLI) or the J-Web user interface.
For detailed information about configuring DHCP services, see the JUNOS Software
System Basics Configuration Guide at http://www.juniper.net/techpubs/
software/junos/junos96/index.html. The configuration for DHCP service on the EX Series
switch includes the dhcp statement at the [edit system services] hierarchy level. The
commands and statements are the same as those used to configure DHCP for Juniper
Networks J Series Services Routers.
You can monitor DHCP services for the switch by using either operational-mode CLI
commands or the J-Web interface.
DHCP Services for EX Series Switches Overview
763
Related Topics
For information about configuring DHCP services with the CLI, see the JUNOS
Software System Basics Configuration Guide at http://www.juniper.net/techpubs/
software/junos/junos96/index.html.
Configuring DHCP Services (J-Web Procedure) on page 772

on page 100
Monitoring DHCP Services on page 785
DHCP/BOOTP Relay for EX Series Switches Overview

You can configure the Juniper Networks EX Series Ethernet Switch to act as a Dynamic
Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) relay agent. This
means that a locally attached host can issue a DHCP or BOOTP request as a broadcast
message. If the switch sees this broadcast message, it relays the message to a specified
DHCP or BOOTP server. You should configure the switch to be a DHCP/BOOTP relay
agent if you have locally attached hosts and a distant DHCP or BOOTP server.
For detailed information about configuring a DHCP/BOOTP relay agent, see the JUNOS
Software Policy Framework Configuration Guide at http://www.juniper.net/techpubs/
software/junos/junos93/index.html. The configuration of the switch to act as a
DHCP/BOOTP relay agent includes the bootp statement at the [edit forwarding-options
helpers] hierarchy level. The commands and statements are the same as those used
to configure a DHCP/BOOTP relay agent on Juniper Networks routing platforms that
run under Juniper Networks JUNOS Software.
NOTE: Because DHCP/BOOTP messages are broadcast and are not directed to a
specific server, switch, or router, EX Series switches cannot function as both a DHCP
server and a DHCP/BOOTP relay agent at the same time. JUNOS Software generates
a commit error if both options are configured at the same time, and the commit will
not succeed until one of the options is removed.
Related Topics
764
For information about configuring the switch as a DHCP/BOOTP relay agent, see
the JUNOS Software Policy Framework Configuration Guide at
DHCP/BOOTP Relay for EX Series Switches Overview
Chapter 39: Understanding Layer 3 Protocols
Understanding IP Directed Broadcast for EX Series Switches

IP directed broadcast helps you implement remote administration tasks such as
backups and wake-on-LAN (WOL) application tasks by sending broadcast packets
targeted at the hosts in a specified destination subnet. IP directed broadcast packets
traverse the network in the same way as unicast IP packets until they reach the
destination subnet. When they reach the destination subnet and IP directed broadcast
is enabled on the receiving switch, the switch translates (explodes) the IP directed
broadcast packet into a broadcast that floods the packet on the target subnet. All
hosts on the target subnet receive the IP directed broadcast packet.
This topic covers:
IP Directed Broadcast for EX Series Switches Overview on page 765
IP Directed Broadcast Implementation for EX Series Switches on page 765
When to Enable IP Directed Broadcast on page 766
When Not to Enable IP Directed Broadcast on page 766
IP Directed Broadcast for EX Series Switches Overview

IP directed broadcast packets have a destination IP address that is a valid broadcast
address for the subnet that is the target of the directed broadcast (the target subnet).
The intent of an IP directed broadcast is to flood the target subnet with the broadcast
packets without broadcasting to the entire network. IP directed broadcast packets
cannot originate from the target subnet.
When you send an IP directed broadcast packet, as it travels to the target subnet,
the network forwards it in the same way as it forwards a unicast packet. When the
packet reaches a switch that is directly connected to the target subnet, the switch
checks to see whether IP directed broadcast is enabled on the interface that is directly
connected to the target subnet:
If IP directed broadcast is enabled on that interface, the switch broadcasts the

packet on that subnet by rewriting the destination IP address as the configured
broadcast IP address for the subnet. The switch converts the packet to a link-layer
broadcast packet that every host on the network processes.
If IP directed broadcast is disabled on the interface that is directly connected to

the target subnet, the switch drops the packet.
IP Directed Broadcast Implementation for EX Series Switches

You configure IP directed broadcast on a per-subnet basis by enabling IP directed
broadcast on the Layer 3 interface of the subnets VLAN. When the switch that is
connected to that subnet receives a packet that has the subnets broadcast IP address
as the destination address, the switch broadcasts the packet to all hosts on the subnet.
By default, IP directed broadcast is disabled.
765
When to Enable IP Directed Broadcast

IP directed broadcast is disabled by default. Enable IP directed broadcast when you
want to perform remote management or administration services such as backups
or WOL tasks on hosts in a subnet that does not have a direct connection to the
Internet.
Enabling IP directed broadcast on a subnet affects only the hosts within that subnet.
Only packets received on the subnets Layer 3 interface that have the subnets
broadcast IP address as the destination address are flooded on the subnet.
When Not to Enable IP Directed Broadcast

Typically, you do not enable IP directed broadcast on subnets that have direct
connections to the Internet. Disabling IP directed broadcast on a subnets Layer 3
interface affects only that subnet. If you disable IP directed broadcast on a subnet
and a packet that has the broadcast IP address of that subnet arrives at the switch,
the switch drops the broadcast packet.
If a subnet has a direct connection to the Internet, enabling IP directed broadcast on
it increases the networks susceptibility to denial-of-service (DoS) attacks.
For example, a malicious attacker can spoof a source IP address (use a source IP
address that is not the actual source of the transmission to deceive a network into
identifying the attacker as a legitimate source) and send IP directed broadcasts
containing Internet Control Message Protocol (ICMP) echo (ping) packets. When the
hosts on the network with IP directed broadcast enabled receive the ICMP echo
packets, they all send replies to the victim that has the spoofed source IP address.
This creates a flood of ping replies in a DoS attack that can overwhelm the spoofed
source address; this is known as a smurf attack. Another common DoS attack on
exposed networks with IP directed broadcast enabled is a fraggle attack, which is
similar to a smurf attack except that the malicious packet is a User Datagram Protocol
(UDP) echo packet instead of an ICMP echo packet.
Related Topics
766
Example: Configuring IP Directed Broadcast on an EX Series Switch on page 767
Configuring IP Directed Broadcast (CLI Procedure) on page 781
Chapter 40
Examples of Configuring Layer 3

Protocols
Example: Configuring IP Directed Broadcast on an EX Series Switch

IP directed broadcast provides a method of sending broadcast packets to hosts on a
specified subnet without broadcasting those packets to hosts on the entire network.
This example shows how to enable a subnet to receive IP directed broadcast packets
so you can perform backups and other network management tasks remotely:
Requirements
One PC
Before you configure IP directed broadcast for a subnet:
Ensure that the subnet does not have a direct connection to the Internet.
Configure routed VLAN interfaces (RVIs) for the ingress and egress VLANs on
the switch. See Configuring Routed VLAN Interfaces (CLI Procedure) on page
547 or Configuring VLANs for EX Series Switches (J-Web Procedure) on page
543.

You might want to perform remote administration tasks such as backups and
wake-on-LAN (WOL) application tasks to manage groups of clients on a subnet. One
Example: Configuring IP Directed Broadcast on an EX Series Switch
767
way to do this is to send IP directed broadcast packets targeted at the hosts in a

particular target subnet.
The network forwards IP directed broadcast packets as if they were unicast packets.
When the IP directed broadcast packet is received by a VLAN that is enabled for
targeted-broadcast, the switch broadcasts the packet to all the hosts in its subnet.
In this topology (see Figure 38 on page 768), a host is connected to an interface on
an EX Series switch to manage the clients in subnet 10.1.2.1/24. When the switch
receives a packet with the broadcast IP address of the target subnet as its destination
address, it forwards the packet to the subnets Layer 3 interface and broadcasts it to
all the hosts within the subnet.
Figure 38: Topology for IP Directed Broadcast
Table 97 on page 768 shows the settings of the components in this example.
Table 97: Components of the IP Directed Broadcast Topology
Property
Settings
Switch hardware
EX Series switch
Ingress VLAN name
v0
Ingress VLAN IP address
10.1.1.1/24
Egress VLAN name
v1
Egress VLAN IP address
10.1.2.1/24
Interfaces in VLAN v0
ge-0/0/3.0
Interfaces in VLAN v1
ge-0/0/0.0 and ge-0/0/1.0
Configuration
To configure IP directed broadcast on a subnet to enable remote management of its
hosts:
To quickly configure the switch to accept IP directed broadcasts targeted at subnet

10.1.2.1/24, copy the following commands and paste them into the switchs terminal
window:
[edit]
768
Configuration
Chapter 40: Examples of Configuring Layer 3 Protocols
set
set
set
set
set
set
set
set
interfaces ge-0/0/0.0 family ethernet-switching vlan members v1

interfaces vlan.1 family inet address 10.1.2.1/24
interfaces vlan.0 family inet address 10.1.1.1/24
vlans v1 l3-interface vlan.1
vlans v0 l3-interface vlan.0
interfaces vlan.1 family inet targeted-broadcast
To configure the switch to accept IP directed broadcasts targeted at subnet

10.1.2.1/24:
1.
Add logical interface ge-0/0/0.0 to VLAN v1:

[edit interfaces]
user@switch# set ge-0/0/0.0 family ethernet-switching vlan members v1
2.

[edit interfaces]
3.
Configure the IP address for the egress VLAN, v1:

[edit interfaces]
user@switch# set vlan.1 family inet address 10.1.2.1/24
4.

[edit interfaces]
5.
Configure the IP address for the ingress VLAN:

[edit interfaces]
6.
To route traffic between the ingress and egress VLANs, associate a Layer 3
interface with each VLAN:
[edit vlans]
user@switch# set v1 l3-interfacevlan.1
user@switch# set v0 l3interface vlan.0
7.
Enable the Layer 3 interface for the egress VLAN to receive IP directed
broadcasts:
[edit interfaces]
user@switch# set vlan.1 family inet targeted-broadcast
Results
Check the results:
Configuration
769
user@switch# show
interfaces {
ge-0/0/0 {
unit 0 {
vlan {
members v1;
}
}
}
}
ge-0/0/1 {
unit 0 {
vlan {
members v1;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members v0;
}
}
}
}
vlan {
unit 0 {
family inet {
targeted-broadcast;
address 10.1.1.1/24;
}
}
unit 1 {
family inet {
targeted-broadcast;
address 10.1.2.1/24;
}
}
}
vlans {
default;
v0 {
}
v1 {
}
}
Related Topics
770
Configuration
Chapter 41
Configuring BGP Sessions (J-Web Procedure) on page 771
Configuring an OSPF Network (J-Web Procedure) on page 775
Configuring a RIP Network (J-Web Procedure) on page 776
Configuring Static Routing (CLI Procedure) on page 780
Configuring Static Routing (J-Web Procedure) on page 781
Configuring BGP Sessions (J-Web Procedure)

J-Web Configuration allows you to create BGP peering sessions.
NOTE: To configure BGP sessions a license must be installed on the EX Series switch.
To configure a BGP peering session :
1.
In the J-Web user interface, select Configure> Routing >BGP Routing.
2.
Enter information into the configuration page for BGP, as described in Table 98
on page 771.
3.
To apply the configuration, click Apply.
Table 98: BGP Routing Configuration Summary

Field
Function
Your Action
Uniquely identifies the device.
Type the switch's 32-bit IP address, in dotted decimal

notation.
Enables or disables BGP.
To enable BGP, select the check box.
To disable BGP, clear the check box.
Router Identification
Router Identifier
(required)
BGP
Enable BGP
Configuring BGP Sessions (J-Web Procedure)
771
Table 98: BGP Routing Configuration Summary (continued)

Field
Function
Your Action
Autonomous System
Number
Sets the unique numeric identifier of the

AS in which the switch is configured.
Type the switch's 32-bit AS number, in dotted decimal

notation.
If you enter an integer, the value is converted to a 32-bit
equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.
Peer Autonomous
System Number
Sets the unique numeric identifier of the

AS in which the peer host resides.
Type the peer host's 32-bit AS number, in dotted

decimal notation.
If you enter an integer, the value is converted to a 32-bit
equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.
Peer Address
Specifies the IP address of the peer host's

interface to which the BGP session is
being established.
Type the IP address of the peer host's adjacent

interface, in dotted decimal notation.
Local Address
Specifies the IP address of the local host's

interface from which the BGP session is
being established.
Type the IP address of the local host's adjacent

interface, in dotted decimal notation.
Related Topics
Monitoring BGP Routing Information on page 783
Configuring DHCP Services (J-Web Procedure)

Use the J-Web DHCP Configuration pages to configure DHCP pools for subnets and
static bindings for DHCP clients. If DHCP pools or static bindings are already
configured, use the Configure Global DHCP Parameters Configuration page to add
settings for these pools and static bindings. Settings that have been previously
configured for DHCP pools or static bindings are not overridden when you use the
Configure Global DHCP Parameters Configuration page.
To configure the DHCP server:
772
1.
Select Configure>Services>DHCP.
2.
Access a DHCP Configuration page:
To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.
To configure a static binding for a DHCP client, click Add in the DHCP Static
Binding box.
To globally configure settings for existing DHCP pools and static bindings,
click Configure Global DHCP Parameters.
3.
Enter information into the DHCP Configuration pages, as described in Table 99

on page 773.
4.
Chapter 41: Configuring Layer 3 Protocols
Table 99: DHCP Server Configuration Pages Summary

Field
Function
Your Action
DHCP Subnet (required)
Specifies the subnet on which DHCP is

configured.
Type an IP address prefix.
Address Range (Low)

(required)
Specifies the lowest address in the IP address

pool range.
Type an IP address that is part of the subnet

specified in DHCP Subnet.
Address Range (High)

(required)
Specifies the highest address in the IP address

pool range.
Type an IP address that is part of the subnet

specified in DHCP Subnet. This address must
be greater than the address specified in Address
Range (Low).
Exclude Addresses
Specifies addresses to exclude from the IP

address pool.
To add an excluded address, type the

address next to the Add button, and click
Add.
To delete an excluded address, select the

address in the Exclude Addresses box, and
click Delete.
DHCP Pool Information
Lease Time
Maximum Lease Time

(Seconds)
Specifies the maximum length of time a client

can hold a lease. (Dynamic BOOTP lease
lengths can exceed this maximum time.)
Type a number from 60 through 4,294,967,295

(seconds). You can also type infinite to specify
a lease that never expires.
Default Lease Time

(Seconds)
Specifies the length of time a client can hold a

lease for clients that do not request a specific
lease length.
Type a number from 60 through 2,147,483,647

(seconds). You can also type infinite to specify
a lease that never expires.
Server Identifier
Specifies the IP address of the DHCP server

reported to a client.
Type the IP address of the server. If you do not

specify a server identifier, the primary address
of the interface on which the DHCP exchange
occurs is used.
Domain Name
Specifies the domain name that clients must

use to resolve hostnames.
Type the name of the domain.
Domain Search
Specifies the orderfrom top to bottomin

which clients must append domain names
when resolving hostnames using DNS.
To add a domain name, type the name

next to the Add button, and click Add.
To delete a domain name, select the name

in the Domain Search box, and click
Delete.
Defines a list of DNS servers the client can use,

in the specified orderfrom top to bottom.
To add a DNS server, type an IP address

To remove a DNS server, select the IP

address in the DNS Name Servers box,
and click Delete.
Server Information
DNS Name Servers
773
Table 99: DHCP Server Configuration Pages Summary (continued)

Field
Function
Your Action
Gateway Routers
Defines a list of relay agents on the subnet, in

the specified orderfrom top to bottom.
To add a relay agent, type an IP address

To remove a relay agent, select the IP

address in the Gateway Routers box, and
click Delete.
To add a NetBIOS name server, type an

IP address next to the Add button, and
click Add.
To remove a NetBIOS name server, select

the IP address in the WINS Servers box,
and click Delete.
WINS Servers
Defines a list of NetBIOS name servers, in the

specified orderfrom top to bottom.
Boot Options
Boot File
Specifies the path and filename of the initial

boot file to be used by the client.
Type a path and filename.
Boot Server
Specifies the TFTP server that provides the

initial boot file to the client.
Type the IP address or hostname of the TFTP

server.
DHCP Static Binding Information
DHCP MAC Address

(required)
Specifies the MAC address of the client to be

permanently assigned a static IP address.
Type the hexadecimal MAC address of the

client.
Fixed IP Addresses
(required)
Defines a list of IP addresses permanently

assigned to the client. A static binding must
have at least one fixed address assigned to it,
but multiple addresses are also allowed.
To add an IP address, type it next to the

Add button, and click Add.
To remove an IP address, select it in the

Fixed IP Addresses box, and click Delete.
Host Name
Specifies the name of the client used in DHCP

messages exchanged between the server and
the client. The name must be unique to the
client within the subnet on which the client
resides.
Type a client hostname.
Client Identifier
Specifies the name of the client used by the

DHCP server to index its database of address
bindings. The name must be unique to the
client within the subnet on which the client
resides.
Type a client identifier in string form.
Hexadecimal Client
Identifier
Specifies the name of the client, in hexadecimal

form, used by the DHCP server to index its
database of address bindings. The name must
be unique to the client within the subnet on
which the client resides.
Type a client identifier in hexadecimal form.
Related Topics
774
Configuring an OSPF Network (J-Web Procedure)

J-Web Configuration allows you to create single-area OSPF networks.
To configure a single-area OSPF network:
1.
In the J-Web user interface, select Configure> Routing>OSPF Routing.
2.
Enter information into the Configuration Routing page for OSPF, as described
in Table 100 on page 775.
3.
Table 100: OSPF Routing Configuration Summary

Field
Function
Your Action
Router Identification
Router
Identifier
(required)
Uniquely identifies the

device.
Type the switch's 32-bit IP address, in dotted decimal notation.
Enables or disables OSPF.
To enable OSPF, select the check box.
To disable OSPF, clear the check box.
OSPF
Enable OSPF
OSPF Area ID
Uniquely identifies the

area within its AS.
Type a 32-bit numeric identifier for the area, or type an integer.

If you enter an integer, the value is converted to a 32-bit equivalent. For example,
if you enter 3, the value assigned to the area is 0.0.0.3.
Area Type
OSPF-Enabled
Interfaces
Designates the type of

OSPF area.
Designates one or more

interfaces on which OSPF
is enabled.
Select the type of OSPF area you are creating from the list :
regularA regular OSPF area, including the backbone area
stubA stub area
nssaA not-so-stubby area (NSSA)
The first time you configure OSPF, the Logical Interfaces box displays a list of
all the logical interfaces configured on the switch. Do any of:
To enable OSPF on an interface, click the interface name to highlight it,

and click the left arrow to add the interface to the OSPF interfaces list.
To enable OSPF on multiple interfaces at once, press Ctrl while you click
multiple interface names to highlight them. Then click the left arrow to add
the interfaces to the OSPF interfaces list.
To enable OSPF on all logical interfaces except the special me0 management
interface, select All Interfaces in the Logical Interfaces list and click the
left arrow.
To enable OSPF on all the interfaces displayed in the Logical Interfaces list,
click All to highlight every interface. Then click the left arrow to add the
interfaces to the OSPF interfaces list.
To disable OSPF on one or more interfaces, highlight the interface or

interfaces in the OSPF interfaces box and click the right arrow to move
them back to the Logical Interfaces list.
Configuring an OSPF Network (J-Web Procedure)
775
Related Topics
Monitoring OSPF Routing Information on page 786
Configuring a RIP Network (J-Web Procedure)

J-Web allows you to create RIP networks.
To configure a RIP network:
1.
In the J-Web user interface, select Configure> Routing > RIP Routing.
2.
Enter information into the Configuration page for RIP, as described in Table 101
on page 776.
3.
Table 101: RIP Routing Configuration Summary

Field
Function
Your Action
Enables or disables RIP.
To enable RIP, select the check box.
To disable RIP, clear the check box.
To advertise the default route using

RIPv2, select the check box.
To disable the default route

advertisement, clear the check box.
RIP
Enable RIP
Advertise Default Route
RIP-Enabled Interfaces
776
Advertises the default route using RIPv2.
Designates one or more interfaces on which

RIP is enabled.
Configuring a RIP Network (J-Web Procedure)
The first time you configure RIP, the Logical

Interfaces box displays a list of all the logical
interfaces configured on the switch. Do any of
the following:
To enable RIP on an interface, click the

interface name to highlight it, and click
the left arrow to add the interface to the
RIP interfaces list.
To enable RIP on multiple interfaces at

once, press Ctrl while you click multiple
interface names to highlight them. Then
click the left arrow to add the interfaces
to the RIP interfaces list.
To disable RIP on one or more interfaces,

highlight the interface or interfaces in the
RIP interfaces box and click the right
arrow to move them back to the Logical
Interfaces list.
Related Topics
Monitoring RIP Routing Information on page 788
Configuring SNMP (J-Web Procedure)

You can use the J-Web interface to define system identification information, create
SNMP communities, create SNMP trap groups, and configure health monitor options.
To configure SNMP features:
1.
Select Configure>Services>SNMP.
2.
Enter information into the Configuration page for SNMP, as described in Table
102 on page 777.
3.
To apply the configuration click Apply.
Table 102: SNMP Configuration Page

Field
Function
Your Action
Contact
Information
Free-form text string that specifies an administrative

contact for the system.
Type contact information for the administrator

of the system (such as name and phone number).
System
Description
Free-form text string that specifies a description for the

system.
Type information that describes the system
Local Engine ID
Provides an administratively unique identifier of an

SNMPv3 engine for system identification.
Type the MAC address of Ethernet management

port 0.
Identification
The local engine ID contains a prefix and a suffix. The

prefix is formatted according to specifications defined
in RFC 3411. The suffix is defined by the local engine
ID. Generally, the local engine ID suffix is the MAC
address of Ethernet management port 0.
System Location
Free-form text string that specifies the location of the

system.
Type location information for the system (lab

name or rack name, for example).
System Override
Name
Free-form text string that overrides the system

hostname.
Type the hostname of the system.
Communities
To add a community, click Add
Community
Name
Specifies the name of the SNMP community.
. Type the name of the community being added.
Authorization
Specifies the type of authorization (either read-only or

read-write) for the SNMP community being configured.
Select the desired authorization (either read-only

or read-write) from the list.
777
Table 102: SNMP Configuration Page (continued)

Field
Function
Your Action
Traps
To add a trap group, click Add.
Trap Group
Name
Specifies the name of the SNMP trap group being

configured.
Type the name of the group being added.
Categories
Specifies which trap categories are added to the trap

group being configured.
To generate traps for authentication failures,

select Authentication.
To generate traps for chassis and

environment notifications, select Chassis.
To generate traps for configuration changes,

select Configuration.
To generate traps for link-related

notifications (up-down transitions), select
Link.
To generate traps for remote operation

notifications, select Remote operations.
To generate traps for remote network

monitoring (RMON), select RMON alarm.
To generate traps for routing protocol

notifications, select Routing.
To generate traps on system warm and cold

starts, select Startup.
To generate traps on Virtual Router

Redundancy Protocol (VRRP) events (such
as new-master or authentication failures),
select VRRP events.
1.
Enter the hostname or IP address, in dotted

decimal notation, of the target system to
receive the SNMP traps.
2.
Click Add.
Targets
Specifies one or more hostnames or IP addresses for

the systems to receive SNMP traps generated by the
trap group being configured.
Health Monitoring
Enable Health
Monitoring
778
Enables the SNMP health monitor on the switch. The

health monitor periodically (over the time you specify
in the interval field) checks the following key indicators
of switch health:
Percentage of file storage used
Percentage of Routing Engine CPU used
Percentage of Routing Engine memory used
Percentage of memory used for each system

process
Percentage of CPU used by the forwarding process
Percentage of memory used for temporary storage

by the forwarding process
Select the check box to enable the health monitor

and configure options. Clear the check box to
disable the health monitor.
NOTE: If you select the Enable Health Monitoring
check box and do not specify options, then SNMP
health monitoring is enabled with default values.
Table 102: SNMP Configuration Page (continued)

Field
Function
Your Action
Interval
Specifies the sampling frequency, in seconds, over

which the key health indicators are sampled and
compared with the rising and falling thresholds.
Enter an interval time, in seconds, from 1 through

2147483647.
The default value is 300 seconds (5 minutes).
For example, if you configure the interval as 100

seconds, the values are checked every 100 seconds.
Rising Threshold
Specifies the value at which SNMP generates an event

(trap and system log message) when the value of a
sampled indicator is increasing.
Enter a value from 0 through 100. The default

value is 90.
For example, if the rising threshold is 90 (the default),

SNMP generates an event when the value of any key
indicator reaches or exceeds 90 percent.
Falling
Threshold
Specifies the value at which SNMP generates an event

(trap and system log message) when the value of a
sampled indicator is decreasing.
For example, if the falling threshold is 80 (the default),
SNMP generates an event when the value of any key
indicator falls back to 80 percent or less.
Related Topics
Enter a value from 0 through 100. The default

value is 80.
NOTE: The falling threshold value must be less
than the rising threshold value.
779
Configuring Static Routing (CLI Procedure)

Static routes are routes that are manually configured and entered into the routing
table. Dynamic routes, in contrast, are learned by the EX Series switch and added
to the routing table using a protocol such as OSPF or RIP.
The switch uses static routes:
When the switch does not have a route to a destination that has a better (lower)
preference value. The preference is an arbitrary value in the range from 0 through
255 that the software uses to rank routes received from different protocols,
interfaces, or remote systems. The routing protocol process generally determines
the active route by selecting the route with the lowest preference value. In the
given range, 0 is the lowest and 255 is the highest.
When the switch cannot determine the route to a destination.
When the switch is forwarding unroutable packets.
To configure basic static route options using the CLI:
To configure the switch's default gateway:

[edit]
user@switch# set routingoptions static route 0.0.0.0/0 next-hop 10.0.1.1
To configure a static route and specify the next address to be used when routing
traffic to the static route:
[edit]
user@switch# set routing-options static route 20.0.0.0/24 next-hop
10.0.0.2.1
To always keep the static route in the forwarding table:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 retain
To prevent the static route from being readvertised:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 no-readvertise
To remove inactive routes from the forwarding table:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 active
Related Topics
780
Monitoring Routing Information on page 790
Configuring Static Routing (CLI Procedure)
Configuring Static Routing (J-Web Procedure)

J-Web configuration allows you to configure static routes.
To configure static routes:
1.
In the J-Web user interface, select Configure>Routing > Static Routing.
2.
Enter information into the routing page, as described in Table 103 on page 781.
3.
Table 103: Static Routing Configuration Summary

Field
Function
Your Action
Specifies the default gateway for the

switch.
Type the 32-bit IP address of the switch's

default route in dotted decimal notation.
Specifies the static route to add to the

routing table.
1.
On the main static routing

Configuration page, click Add.
2.
In the Static Route Address box,

type the 32-bit IP address of the
static route in dotted decimal
notation.
1.
In the Add box, type the 32-bit IP

address of the next-hop host.
2.
Click Add.
3.
Add more next-hop addresses as

necessary.
Default Route
Default Route
Static Routes
Static Route Address (required)
Next-Hop Addresses
Specifies the next-hop address or

addresses to be used when routing
traffic to the static route.
NOTE: If a route has multiple next-hop

addresses, traffic is routed across each
address in round-robin fashion.
4.
Related Topics
When you have finished adding

next-hop addresses, click OK.
Configuring IP Directed Broadcast (CLI Procedure)

You can use IP directed broadcast on an EX Series switch to facilitate remote network
management by sending broadcast packets to hosts on a specified subnet without
broadcasting to the entire network. IP directed broadcast packets are broadcast on
Configuring Static Routing (J-Web Procedure)
781
only the target subnet. The rest of the network treats IP directed broadcast packets
as unicast packets and forwards them accordingly.
Before you begin to configure IP directed broadcast:
Ensure that the subnet on which you want broadcast packets using IP direct
broadcast is not directly connected to the Internet.
Configure a routed VLAN interface (RVI) for the subnet that will be enabled for
IP direct broadcast. See Configuring Routed VLAN Interfaces (CLI Procedure)
on page 547 or Configuring VLANs for EX Series Switches (J-Web Procedure)
on page 543.
NOTE: We recommend that you do not enable IP directed broadcast on subnets that
have a direct connection to the Internet because of increased exposure to
denial-of-service (DoS) attacks.
To enable IP directed broadcast for a specified subnet:
1.
Add the target subnets logical interfaces to the VLAN:

[edit interfaces]
2.
Configure the Layer 3 interface on the VLAN that is the target of the IP directed
broadcast packets:
[edit interfaces]
3.
Associate a Layer 3 interface with the VLAN:

[edit vlans]
user@switch# set v1 l3-interface vlan.1
4.
Enable the Layer 3 interface for the VLAN to receive IP directed broadcasts:
[edit interfaces]
user@switch# set vlan.1 family inet targeted-broadcast
Related Topics
782
Understanding IP Directed Broadcast for EX Series Switches on page 765
Configuring IP Directed Broadcast (CLI Procedure)
Chapter 42
Monitoring BGP Routing Information on page 783
Monitoring OSPF Routing Information on page 786
Monitoring RIP Routing Information on page 788
Verifying IP Directed Broadcast Status on page 791
Monitoring BGP Routing Information

Purpose
Action
Use the monitoring functionality to monitor BGP routing information.

To view BGP routing information in the J-Web interface, select
Monitor>Routing>BGP Information.
To view BGP routing information in the CLI, enter the following commands:
Meaning
show bgp summary
show bgp neighbor
Table 104 on page 783 summarizes key output fields in the BGP routing display.
Table 104: Summary of Key BGP Routing Output Fields

Field
Values
BGP Summary
Total
Groups
Number of BGP groups.
Total Peers
Number of BGP peers.
Down
Peers
Number of unavailable BGP peers.
Peer
Address of each BGP peer.
InPkt
Number of packets received from the peer.
OutPkt
Number of packets sent to the peer.
783
Table 104: Summary of Key BGP Routing Output Fields (continued)

Field
Values
Flaps
Number of times a BGP session has changed state from

Down to Up.
A high number of flaps might indicate a problem with

the interface on which the BGP session is enabled.
Last
Up/Down
Last time that a session became available or

unavailable, since the neighbor transitioned to or from
the established state.
If the BGP session is unavailable, this time might be

useful in determining when the problem occurred.
State
A multipurpose field that displays information about

BGP peer sessions. The contents of this field depend
upon whether a session is established.
If a peer is not established, the field shows the

state of the peer session: Active, Connect, or Idle.
If a BGP session is established, the field shows the

number of active, received, and damped routes
that are received from a neighbor. For example,
2/4/0 indicates two active routes, four received
routes, and no damped routes.
BGP Neighbors
Peer
Address
Address of the BGP neighbor.
Autonomous
System
AS number of the peer.
Type
Type of peer: Internal or External.
State
Current state of the BGP session:
ActiveBGP is initiating a TCP connection in an
attempt to connect to a peer. If the connection is

successful, BGP sends an open message.
ConnectBGP is waiting for the TCP connection
Generally, the most common states are Active, which

indicates a problem establishing the BGP conenction,
and Established, which indicates a successful session
setup. The other states are transition states, and BGP
sessions normally do not stay in those states for
extended periods of time.
to become complete.
EstablishedThe BGP session has been
established, and the peers are exchanging BGP

update messages.
IdleThis is the first stage of a connection. BGP
is waiting for a Start event.
OpenConfirmBGP has acknowledged receipt of
an open message from the peer and is waiting to

receive a keepalive or notification message.
OpenSentBGP has sent an open message and is
waiting to receive an open message from the peer.

Export
Names of any export policies configured on the peer.
Import
Names of any import policies configured on the peer.
Number of
flaps
Number of times the BGP sessions has changed state

from Down to Up.
784
A high number of flaps might indicate a problem with

the interface on which the session is established.
Chapter 42: Verifying Layer 3 Protocols
Related Topics
Configuring BGP Sessions (J-Web Procedure) on page 771
Monitoring DHCP Services

Purpose
A switch can operate as a DHCP server. When it is a DHCP server, use the monitoring
functionality to view information about dynamic and static DHCP leases, conflicts,
pools, and statistics.
Action
To monitor the DHCP server in the J-Web interface, select Monitor>Services >DHCP.
To monitor the DHCP server in the CLI, enter the following CLI commands:
Meaning
show system services dhcp binding
show system services dhcp conflict
show system services dhcp pool
show system services dhcp statistics
Table 105 on page 785 summarizes the output fields in DHCP displays.
Table 105: Summary of DHCP Output Fields

Field
Values
DHCP Leases
Allocated
Address
List of IP addresses the DHCP server has assigned to

clients.
MAC
Address
Corresponding media access control (MAC) address

of the client.
Binding
Type
Type of binding assigned to the client: dynamic or

static.
Lease
Expires
Date and time the lease expires, or never for leases

that do not expire.
DHCP servers can assign a dynamic binding from a pool

of IP addresses or a static binding to one or more
specific IP addresses.
DHCP Conflicts
Detection
Time
Date and time the client detected the conflict.
Detection
Method
How the conflict was detected.
Only client-detected conflicts are displayed.
Address
IP address where the conflict occurs.
The addresses in the conflicts list remain excluded until

you use the clear system services dhcp conflict command
to manually clear the list.
DHCP Pools
Pool Name
Subnet on which the IP address pool is defined.
Monitoring DHCP Services
785
Table 105: Summary of DHCP Output Fields (continued)

Field
Values
Low
Address
Lowest address in the IP address pool.
High
Address
Highest address in the IP address pool.
Excluded
Addresses
Addresses excluded from the address pool.
DHCP Statistics
Default
lease time
Lease time assigned to clients that do not request a

specific lease time.
Minimum
lease time
Minimum time a client can retain an IP address lease

on the server.
Maximum
lease time
Maximum time a client can retain an IP address lease

on the server.
Packets
dropped
Total number of packets dropped and the number of

packets dropped due to a particular condition.
Messages
received
Number of BOOTREQUEST, DHCPDECLINE,

DHCPDISCOVER, DHCPINFORM, DHCPRELEASE,
and DHCPREQUEST messages sent from DHCP clients
and received by the DHCP server.
Messages
sent
Number of BOOTREPLY, DHCPACK, DHCPOFFER,

and DHCPNAK messages sent from the DHCP server
to DHCP clients.
Related Topics
Monitoring OSPF Routing Information

Purpose
Action
Use the monitoring functionality to monitor OSPF routing information.

To view OSPF routing information in the J-Web interface, select
Monitor>Routing>OSPF Information.
To view OSPF routing information in the CLI, enter the following CLI commands:
786
show ospf neighbor
show ospf interface
show ospf statistics
Meaning
Table 106 on page 787 summarizes key output fields in the OSPF routing display.
Table 106: Summary of Key OSPF Routing Output Fields

Field
Values
OSPF Neighbors
Address
Address of the neighbor.
Interface
Name
Interface through which the neighbor is reachable.
State
State of the neighbor: Attempt, Down, Exchange, ExStart,

Full, Init, Loading, or 2way.
ID
ID of the neighbor.
Priority
Priority of the neighbor to become the designated

switch.
Generally, only the Down state, indicating a failed OSPF

adjacency, and the Full state, indicating a functional
adjacency, are maintained for more than a few
seconds. The other states are transitional states that a
neighbor is in only briefly while an OSPF adjacency is
being established.
OSPF Interfaces
Interface
Name of the interface running OSPF.
State
State of the interface: BDR, Down, DR, DRother, Loop,

PtToPt, or Waiting.
Area
Number of the area that the interface is in.
DR ID
Address of the area's designated device.
BDR ID
Address of the area's backup designated device.
Neighbors
Number of neighbors on this interface.
Adjacency
Count
Number of devices in the area using the same area

identifier.
Stub Type
The areas into which OSPF does not flood AS external

advertisements
Passive
Mode
In this mode the interface is present on the network

but does not transmit or receive packets.
Authentication
Type
The authentication scheme for the backbone or area.
Interface
Address
The IP address of the interface.
Address
Mask
The subnet mask or address prefix.
The Down state, indicating that the interface is not

functioning, and PtToPt state, indicating that a
point-to-point connection has been established, are the
most common states.
787
Table 106: Summary of Key OSPF Routing Output Fields (continued)

Field
Values
MTU
The maximum transmission unit size.
Interface
Cost
The path cost used to calculate the root path cost from
any given LAN segment is determined by the total cost
of each link in the path.
Hello
Interval
Displays how often the switch sends hello packets out

of the interface.
Dead
Interval
The interval during which the switch receives no hello

packets from the neighbor.
Retransmit
Interval
The interval for which the switch waits to receive a

link-state acknowledgment packet before retransmitting
link-state advertisements to an interfaces neighbors.
OSPF Statistics
Packet
Type
Type of OSPF packet.
Packets
Sent
Total number of packets sent.
Packets
Received
Total number of packets received.
Depth of
flood
Queue
Number of entries in the extended queue.
Total
Retransmits
Number of retransmission entries enqueued.
Total
Database
Summaries
Total number of database description packets.
Related Topics
Monitoring RIP Routing Information

Purpose
Action
Use the monitoring functionality to monitor RIP routing.

To view RIP routing information in the J-Web interface, select Monitor>Routing>RIP
Routing.
To view RIP routing information in the CLI, enter the following CLI commands:
788
show rip statistics
Meaning
show rip neighbor
Table 107 on page 789 summarizes key output fields in the RIP routing display.
Table 107: Summary of Key RIP Routing Output Fields

Field
Values
RIP Statistics
RIP
Protocol
Name
The RIP protocol name.
RIP Port
The port on which RIP is enabled.
Hold Down
The interval during which routes are neither advertised

nor updated.
Routes
Learned
Number of RIP routes learned on the logical interface.
Routes
Held Down
Number of RIP routes that are not advertised or

updated during hold-down.
Requests
Dropped
Number of requests dropped.
Responses
Dropped
Number of responses dropped.
RIP Neighbors
Neighbor
Name of the RIP neighbor.
State
State of the RIP connection: Up or Dn (Down).
Source
Address
Local source address.
This value is the configured address of the interface on

which RIP is enabled.
Destination
Address
Destination address.
This value is the configured address of the immediate

RIP adjacency.
Send Mode
The mode of sending RIP messages.
Receive
Mode
The mode in which messages are received.
In Metric
Value of the incoming metric configured for the RIP

neighbor.
Related Topics
This value is the name of the interface on which RIP

is enabled. Click the name to see the details for this
neighbor.
Configuring a RIP Network (J-Web Procedure) on page 776
789
Monitoring Routing Information

Purpose
Action
Use the monitoring functionality to view inet.0 routing table.

To view the routing tables in the J-Web interface, select Monitor>Routing>Static
Routing
To view the routings table in the CLI, enter the following commands in the CLI
interface:
Meaning
show route terse
show route detail
Table 108 on page 790 summarizes key output fields in the routing information display.
Table 108: Summary of Key Routing Information Output Fields

Field
Values
n
destinations
Number of destinations for which there are routes in

the routing table.
n routes
Number of routes in the routing table:
activeNumber of routes that are active.
hold downNumber of routes that are in
hold-down state (neither advertised nor updated)

before being declared inactive.
hiddenNumber of routes not used because of
routing policies configured on the switching

platform.
Destination
Destination address of the route.
Protocol/
Preference
Protocol from which the route was learned: Static,

Direct, Local, or the name of a particular protocol.
The route preference is used as one of the route

selection criteria.
The preference is the individual preference value for

the route.
Next-Hop
Network layer address of the directly reachable

neighboring system (if applicable) and the interface
used to reach it.
If a next hop is listed as Discard, all traffic with that

destination address is discarded rather than routed.
This value generally means that the route is a static
route for which the discard attribute has been set.
If a next hop is listed as Reject, all traffic with that
destination address is rejected. This value generally
means that the address is unreachable. For example,
if the address is a configured interface address and the
interface is unavailable, traffic bound for that address
is rejected.
If a next hop is listed as Local, the destination is an
address on the host (either the loopback address or
Ethernet management port 0 address, for example).
790
Monitoring Routing Information
Table 108: Summary of Key Routing Information Output Fields (continued)

Field
Values
Age
How long the route has been known.
State
Flags for this route.
AS Path
AS path through which the route was learned. The

letters of the AS path indicate the path origin:
I IGP.
E EGP.
? Incomplete. Typically, the AS path was

aggregated.
Related Topics
There are many possible flags.
Verifying IP Directed Broadcast Status

Purpose
Action
Related Topics
Verify that IP directed broadcast is enabled and is working on the subnet.

Use the show vlans extensive command to verify that IP directed broadcast is enabled
and working on the subnet as shown in the following example.
791
792
Part 10
Understanding IGMP Snooping and Multicast on page 795
Examples of Configuring IGMP Snooping and Multicast on page 803
Configuring IGMP Snooping and Multicast on page 813
Verifying IGMP Snooping and Multicast on page 821
Configuration Statements for IGMP Snooping and Multicast on page 825
Operational Mode Commands for IGMP Snooping and Multicast on page 851
793
794
Chapter 43
Understanding IGMP Snooping and

Multicast
Understanding Multicast VLAN Registration on EX Series Switches on page 800
IGMP Snooping on EX Series Switches Overview

Internet Group Management Protocol (IGMP) snooping regulates multicast traffic in
a switched network. With IGMP snooping enabled, a LAN switch monitors the IGMP
transmissions between a host (a network device) and a multicast router, keeping
track of the multicast groups and associated member interfaces. The switch uses
that information to make intelligent multicast-forwarding decisions and forward
traffic to the intended destination interfaces. Juniper Networks EX Series Ethernet
Switches support IGMPv1, IGMPv2, and IGMPv3 (INCLUDE mode only).
For details on IGMPv1, IGMPv2, and IGMPv3, see the following standards:
For IGMPv1, see RFC 1112, Host extensions for IP multicasting at

http://www.faqs.org/rfcs/rfc1112.html.
For IGMPv2, see RFC 2236, Internet Group Management Protocol, Version 2 at
For IGMPv3, see RFC 3376, Internet Group Management Protocol, Version 3 at
This IGMP snooping topic covers:
How IGMP Snooping Works on page 795
How IGMP Snooping Works with Routed VLAN Interfaces on page 796
How Hosts Join and Leave Multicast Groups on page 799
IGMP Snooping Support for IGMPv3 on page 799
How IGMP Snooping Works

An EX Series switch usually learns unicast MAC addresses by checking the source
address field of the frames it receives. However, a multicast MAC address can never
be the source address for a packet. As a result, the switch floods multicast traffic on
the VLAN, consuming significant amounts of bandwidth.
795
IGMP snooping regulates multicast traffic on a VLAN to avoid flooding. When IGMP
snooping is enabled, the switch intercepts IGMP packets and uses the content of the
packets to build a multicast cache table. The cache table is a database of multicast
groups and their corresponding member ports. The cache table is then used to
regulate multicast traffic on the VLAN.
When the switch receives multicast packets, it uses the cache table to selectively
forward the packets only to the ports that are members of the destination multicast
group. Figure 39 on page 796 shows an example of IGMP traffic flow with IGMP
snooping enabled.
Figure 39: IGMP Traffic Flow with IGMP Snooping Enabled
How IGMP Snooping Works with Routed VLAN Interfaces

Switches send traffic to hosts that are part of the same broadcast domain, but routers
are needed to route traffic from one broadcast domain to another. EX Series switches
796
Chapter 43: Understanding IGMP Snooping and Multicast
use a routed VLAN interface (RVI) to perform these routing functions. IGMP snooping
works with Layer 2 interfaces and RVIs to regulate multicast traffic in a switched
network.
When an EX Series switch receives a multicast packet, the Packet Forwarding Engines
in the switch perform an IP multicast lookup on the multicast packet to determine
how to forward the packet to its local ports. From the results of the IP multicast
lookup, each Packet Forwarding Engine extracts a list of Layer 3 interfaces (which
can include VLAN interfaces) that have ports local to the Packet Forwarding Engine.
If an RVI is part of this list, the switch provides a bridge multicast group ID for each
RVI to the Packet Forwarding Engine.
A bridge multicast ID is assigned to direct Layer 3 interfaces and to RVIs. For VLANs
that include multicast receivers, the bridge multicast ID includes a sub-next-hop ID.
The sub-next-hop ID identifies the multicast Layer 2 interfaces in that VLAN that are
interested in receiving the multicast stream. The switch ultimately assigns a next
hop after it does a route lookup. The next hop includes all direct Layer 3 interfaces
and RVIs. The Packet Forwarding Engine then forwards multicast traffic to the bridge
multicast ID that includes all Layer 3 interfaces and RVIs that are multicast receivers
for a given multicast group.
Figure 40 on page 798 shows how multicast traffic is forwarded on a multilayer switch.
In this illustration, multicast traffic is coming in through the xe-0/1/0.0 interface. A
multicast group has been formed by the Layer 3 interface ge-0/0/2.0, vlan.0, and
vlan.1. The ge-2/0/0.0 interface is a common trunk interface that belongs to both
vlan.0 and vlan.1. The letter R next to an interface name in the illustration indicates
that a multicast receiver host is associated with that interface.
NOTE: Traffic sent to an access interface is untagged; traffic sent to a trunk interface
is tagged. For more information on VLAN tagging, see Understanding Bridging and
VLANs on EX Series Switches on page 467.
797
Figure 40: IGMP Traffic Flow with Routed VLAN Interfaces
Table 109 on page 798 shows the bridge multicast IDs and next hops that are created.
The term subnh refers to a sub-next hop. The Packet Forwarding Engine will forward
multicast traffic to bridge multicast ID9.
Table 109: Bridge Multicast IDs and Next Hops
ID Number
Type of Next Hop
Next Hop
Tag Information
ID1
RHN_UNICAST
ge-0/0/0.0
tag=off
ID2
RHN_UNICAST
ge-2/0/0.0
tag=on
ID3
RHN_FLOOD
[ID1, ID2]
ID4
RHN_UNICAST
ge-0/0/1.0
ID5
RHN_FLOOD
[ID4, ID2]
ID6
RHN_UNICAST
vlan.0
subnh=ID3
ID7
RHN_UNICAST
VLAN.1
subnh=ID5
ID8
RHN_UNICAST
ge-0/0/2.0
ID9
RHN_FLOOD
[ID6, ID7, ID8]
798
tag=off
How Hosts Join and Leave Multicast Groups

Hosts can join multicast groups in either of two ways:
By sending an unsolicited IGMP join message to a multicast router that specifies

the IP multicast group that the host is attempting to join.
By sending an IGMP join message in response to a general query from a multicast

router.
A multicast router continues to forward multicast traffic to a VLAN provided that at

least one host on that VLAN responds to the periodic general IGMP queries. For a
host to remain a member of a multicast group, therefore, it must continue to respond
to the periodic general IGMP queries.
To leave a multicast group, a host can either not respond to the periodic general
IGMP queries, which results in a silent leave (the only leave option for hosts
connected to switches running IGMPv1), or send a group-specific IGMPv2 leave
message.
IGMP Snooping Support for IGMPv3

IGMPv3 allows IGMP snooping to filter multicast streams based on the source address
of the multicast stream. JUNOS Software for EX Series switches supports IGMPv3
packets that are in INCLUDE mode only. IGMPv3 packets in any other mode are
dropped.
When a host sends an IGMPv3 INCLUDE report through a switch interface to indicate
that it wants to receive a multicast stream from a source address, the switch adds
the source address to the source list. In INCLUDE mode, the switch requests that
packets be sent to the specified multicast address only from those IP source addresses
listed in the source-list parameter. However, because EX Series switches do not
support forwarding on a per-source basis, the switch merges all IGMPv3 reports for
a VLAN to create a (*,G,V) route with the appropriate next hop. This next hop contains
all the interfaces on the VLAN that are interested in group G.
When IGMP snooping for IGMPv3 is used with an RVI, the same (*,G,V) route is added
to the snooping information in the RVIs output interface list (olist).
Related Topics
Example: Configuring IGMP Snooping on EX Series Switches on page 803
Configuring IGMP Snooping (CLI Procedure) on page 813
RFC 3171, IANA Guidelines for IPv4 Multicast Address Assignments at

http://tools.ietf.org/html/rfc3171
799
Understanding Multicast VLAN Registration on EX Series Switches

Multicast VLAN registration (MVR) allows you to efficiently distribute IPTV multicast
streams across an Ethernet ring-based Layer 2 network and reduce the amount of
bandwidth consumed by this multicast traffic.
In a standard Layer 2 network, a multicast stream received on one VLAN is never
distributed to interfaces outside that VLAN. If hosts in multiple VLANs request the
same multicast stream, a separate copy of that multicast stream is distributed to the
requesting VLANs.
MVR introduces the concept of a multicast source VLAN (MVLAN), which is created
by MVR and becomes the only VLAN over which IPTV multicast traffic flows
throughout the Layer 2 network. The Juniper Networks EX Series Ethernet Switch
that is enabled for MVR selectively forward IPTV multicast traffic from interfaces on
the MVLAN (source interfaces) to hosts that are connected to interfaces that are not
part of the MVLAN. These interfaces are known as MVR receiver ports. The MVR
receiver ports can receive traffic from a port on the MVLAN but cannot send traffic
onto the MVLAN, and they remain in their own VLANs for bandwidth and security
reasons.
This topic includes:
How MVR Works on page 800
How MVR Works

In many ways, MVR is similar to IGMP snooping. Both monitor IGMP join and leave
messages and build forwarding tables based on the media access control (MAC)
addresses of the hosts sending those IGMP messages. Whereas IGMP snooping
operates within a given VLAN to regulate multicast traffic, MVR can operate with
hosts on different VLANs in a Layer 2 network to selectively deliver IPTV multicast
traffic to requesting hosts, thereby reducing the amount of bandwidth needed to
forward multicast traffic.
When you configure an MVLAN, you assign a range of multicast group addresses to
it. You then configure other VLANs to be MVR receiver VLANs, which receive multicast
streams from the MVLAN. The MVR receiver ports comprise all the interfaces that
exist on any of the MVR receiver VLANs. Interfaces that are on the MVLAN itself
cannot be MVR receiver ports for that MVLAN.
NOTE: MVR is supported on VLANs running IGMP version 2 (IGMPv2) only.
800
MVR Modes
MVR operates in two modes: MVR transparent mode and MVR proxy mode. Both
modes allow MVR to forward only one copy of a multicast stream to the Layer 2
network.
MVR Transparent Mode on page 801
MVR Proxy Mode on page 801
MVR Transparent Mode

In MVR transparent mode (the default mode), the switch receives one copy of each
IPTV multicast stream and then replicates the stream only to those hosts that want
to receive it, while forwarding all other types of multicast traffic without modification.
Transparent mode is the default mode.
The switch handles IGMP packets destined for both the multicast source VLAN and
multicast receiver VLANs in the same way that it handles them when MVR is not
being used. That is, when a host on a VLAN sends IGMP join and leave messages,
the switch floods the messages to all router interfaces in the VLAN. Similarly, when
a VLAN receives IGMP queries from its router interfaces, it floods the queries to all
interfaces in the VLAN.
If a host on a multicast receiver port joins an MVR group on the multicast receiver
VLAN, the appropriate bridging entry is added and the MVLAN forwards that groups
IPTV multicast traffic on that port (even though that port is not in the MVLAN).
Likewise, if a host on a multicast receiver port leaves an MVR group on the multicast
receiver VLAN, the appropriate bridging entry is deleted and the MVLAN stops
forwarding that groups IPTV multicast traffic on that port. In addition, you can
configure the switch to statically install the bridging entries on the multicast receiver
VLAN.
MVR Proxy Mode
When you use MVR in proxy mode, the switch acts as a proxy for any MVR group
in both the upstream and downstream directions. In the downstream direction, the
switch acts as the querier for the groups in the MVR receiver VLANs. In the upstream
direction, the switch originates the IGMP reports and leaves and answers IGMP queries
from multicast routers. When the MVR receiver VLANs receive IGMP joins and leaves,
the switch creates bridging entries on the MVLAN as needed, as it does in MVR
transparent mode. In addition, the switch sends out IGMP joins and leaves on the
MVLAN based on these bridging entries.
Configuring MVR proxy mode on the MVLAN automatically enables IGMP snooping
proxy mode on all MVR receiver VLANs as well as on the MVLAN.
Related Topics
Example: Configuring Multicast VLAN Registration on EX Series Switches on

page 806
Configuring Multicast VLAN Registration (CLI Procedure) on page 818
801
802
Chapter 44
Examples of Configuring IGMP Snooping

and Multicast
Example: Configuring Multicast VLAN Registration on EX Series

Example: Configuring IGMP Snooping on EX Series Switches

IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping
enabled, a LAN switch monitors the IGMP transmissions between a host (a network
device) and a multicast router, keeping track of the multicast groups and associated
member ports. The switch uses that information to make intelligent
multicast-forwarding decisions and forward traffic to the intended destination
interfaces.
Configure IGMP snooping on one or more VLANs to allow the switch to examine
IGMP packets and make forwarding decisions based on packet content. By default,
IGMP snooping is enabled on EX Series switches.
This example describes how to configure IGMP snooping:
Requirements
Before you configure IGMP snooping, be sure you have:
Configured the employee-vlan VLAN on the switch
Assigned interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 to employee-vlan
Example: Configuring IGMP Snooping on EX Series Switches
803
See Example: Setting Up Bridging with Multiple VLANs for EX Series Switches on
page 490.

IGMP snooping controls multicast traffic in a switched network. With IGMP snooping
enabled, an EX Series switch monitors the IGMP transmissions between a host and
a multicast router to keep track of the multicast groups and associated member ports.
The switch uses this information to make intelligent decisions and forward multicast
traffic to the intended destination interfaces.
You can configure IGMP snooping on all interfaces in a VLAN or on individual
interfaces. This example shows how to configure IGMP snooping on an EX Series
switch.
The configuration setup for this example includes the VLAN employee-vlan on the
switch.
Table 110 on page 804 shows the components of the topology for this example.
Table 110: Components of the IGMP Snooping Topology
Properties
Settings
Switch hardware
VLAN name
Interfaces in employee-vlan
ge-0/0/1, ge-0/0/2, ge-0/0/3
Multicast IP address for employee-vlan
225.100.100.100
In this example, the switch is initially configured as follows:
IGMP snooping is disabled on the VLAN.
Configuration
To configure basic IGMP snooping on a switch:
To quickly configure IGMP snooping, copy the following commands and paste them
into the switch terminal window:
[edit protocols]
set igmp-snooping vlan employee-vlan
set igmp-snooping vlan employee-vlan interface ge-0/0/1 group-limit 50
set igmp-snooping vlan employee-vlan immediate-leave
set igmp-snooping vlan employee-vlan interface ge-0/0/3 static group
225.100.100.100
set igmp-snooping vlan employee-vlan interface ge-0/0/2 multicast-router-interface
set igmp-snooping vlan employee-vlan robust-count 4
804
Chapter 44: Examples of Configuring IGMP Snooping and Multicast
Configure IGMP snooping:

1.
Enable and configure IGMP snooping on the VLAN employee-vlan:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan
2.
Configure the limit for the number of multicast groups allowed on the ge-0/0/1
interface to 50.
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/1
group-limit 50
3.
Configure the switch to immediately remove a group membership from an

interface when it receives a leave message from that interface and suppress the
sending of any group-specific queries for the multicast group (IGMPv2 only):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan immediate-leave
4.
Statically configure IGMP group membership on a port:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/3.0
static group 225.100.100.100
5.
Statically configure an interface as a switching interface toward a multicast

router (the interface to receive multicast traffic):
[edit protocols]
multicast-router-interface
6.
Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Results

user@switch# show protocols igmp-snooping
vlan employee-vlan {
robust-count 4;
immediate-leave;
interface ge-0/0/1 {
group-limit 50;
}
}
Configuration
805
static {
group 255.100.100.100
}
}
}
Related Topics
Example: Configuring Multicast VLAN Registration on EX Series Switches

Multicast VLAN registration (MVR) allows hosts that are not part of a multicast VLAN
(MVLAN) to receive multicast streams from the MVLAN, allowing the MVLAN to be
shared across the Layer 2 network and eliminating the need to send duplicate
multicast streams to each requesting VLAN in the network. Hosts remain in their
own VLANs for bandwidth and security reasons.
This example describes how to configure MVR on EX Series switches:
Requirements
Before you configure MVR, be sure you have:
Configured two or more VLANs on the switch. See Example: Setting Up Bridging
with Multiple VLANs for EX Series Switches on page 490.
Connected the EX Series switch to a network that can transmit IPTV multicast
streams from a video server.
Connected a host that is capable of receiving IPTV multicast streams to an

interface in one of the VLANs.

In a standard Layer 2 network, a multicast stream received on one VLAN is never
distributed to interfaces outside that VLAN. If hosts in multiple VLANs request the
same multicast stream, a separate copy of that multicast stream is distributed to the
requesting VLANs.
806
Example: Configuring Multicast VLAN Registration on EX Series Switches
MVR introduces the concept of a multicast source VLAN (MVLAN), which is created
by MVR and becomes the only VLAN over which multicast traffic flows throughout
the Layer 2 network. Multicast traffic can then be selectively forwarded from interfaces
on the MVLAN (source ports) to hosts that are connected to interfaces (multicast
receiver ports) that are not part of the multicast source VLAN. When you configure
an MVLAN, you assign a range of multicast group addresses to it. You then configure
other VLANs to be MVR receiver VLANs, which receive multicast streams from the
MVLAN. The MVR receiver ports comprise all the interfaces that exist on any of the
MVR receiver VLANs.
NOTE: You cannot configure a VLAN that contains an access port to be an MVR
source VLAN.
You can configure MVR to operate in one of two modes: transparent mode (the
default mode) or proxy mode. Both modes allow MVR to forward only one copy of
a multicast stream to the Layer 2 network.
In transparent mode, the switch receives one copy of each IPTV multicast stream
and then replicates the stream only to those hosts that want to receive it, while
forwarding all other types of multicast traffic without modification. Figure 1 shows
how MVR operates in transparent mode.
In proxy mode, the switch acts as a proxy for the IGMP multicast router in the MVLAN
for MVR group memberships established in the MVR receiver VLANs and generates
and sends IGMP packets into the MVLAN as needed. Figure 2 shows how MVR
operates in proxy mode.
This example shows how to configure MVR in both transparent mode and proxy
mode on an EX Series switch. The topology includes a video server that is connected
to a multicast router, which in turn forwards the IPTV multicast traffic in the MVLAN
to the Layer 2 network.
Figure 41 on page 808 shows the MVR topology in transparent mode. Interfaces P1
and P2 on Switch C belong to service VLAN s0 and MVLAN mv0. Interface P4 of
Switch C also belongs to service VLAN s0. In the upstream direction of the network,
only non-IPTV traffic is being carried in individual customer VLANs of service VLAN
s0. VLAN c0 is an example of this type of customer VLAN. IPTV traffic is being carried
on MVLAN mv0. If any host on any customer VLAN connected to port P4 requests
an MVR stream, switch C takes the stream from VLAN mv0 and replicates that stream
onto port P4 with tag mv0. IPTV traffic, along with other network traffic, flows form
port P4 out to the Digital Subscriber Line Access Multiplexer (DSLAM) D1.
807
Figure 41: MVR Topology in Transparent Mode
Figure 42 on page 809 shows the MVR topology in proxy mode. Interfaces P1 and P2
on switch C belong to MVLAN mv0 and customer VLAN c0. Interface P4 on switch C
is an access port of customer VLAN c0. In the upstream direction of the network,
only non-IPTV traffic is being carried on customer VLAN c0. Any IPTV traffic requested
by hosts on VLAN c0 is replicated untagged to port P4 based on streams received in
MVLAN mv0. IPTV traffic flows from port P4 out to an IPTV-enabled device in Host
1. Other traffic, such as data and voice traffic, also flows from port P4 to other network
devices in Host 1.
808
Figure 42: MVR Topology in Proxy Mode
For information on VLAN tagging, see Understanding Bridging and VLANs on EX

Series Switches on page 467.
Configuration
To configure MVR perform these tasks:
To quickly configure MVR in proxy mode, copy the following commands and paste
them into the switch terminal window. To quickly configure MVR in transparent
mode (the default mode), do not copy and paste the final command line in the
following block of lines:
[edit protocols igmp-snooping]
set vlan mv0 data-forwarding source groups 225.10.0.0/16
set vlan v2 data-forwarding receiver source-vlans mv0
set vlan v2 data-forwarding receiver install
set vlan mv0 proxy source-address 10.1.1.1
Configuration
809
To configure MVR, perform these tasks:

1.
Configure mv0 to be an MVLAN:

user@switch# set vlan mv0 data-forwarding source groups 225.10.0.0/16
source VLAN.
2.
Configure v2 to be a multicast receiver VLAN with mv0 as its source:

user@switch# set vlan v2 data-forwarding receiver source-vlans mv0
3.
(Optional) Install forwarding entries in the multicast receiver VLAN v2:

user@switch# set vlan v2 data-forwarding receiver install
4.
(Optional) Configure MVR in proxy mode:

user@switch# set vlan mv0 proxy source-address 10.1.1.1
Results

user@switch# show
vlan mv0 {
proxy {
source-address 10.1.1.1;
}
data-forwarding {
source {
groups 225.10.0.0/16;
}
}
}
vlan v2 {
data-forwarding {
receiver {
source-vlans mv0;
install;
}
}
}
Related Topics
810
Configuration
Configuration
811
812
Configuration
Chapter 45
Configuring IGMP Snooping (J-Web Procedure) on page 814
Configuring IGMP Snooping (CLI Procedure)

enabled, a LAN switch monitors the IGMP transmissions between a host (a network
device) and a multicast router, keeping track of the multicast groups and associated
member ports. The switch uses that information to make intelligent
interfaces.
You can configure IGMP snooping on one or more VLANs to allow the switch to
examine IGMP packets and make forwarding decisions based on packet content. By
default, IGMP snooping is enabled on EX Series switches.
NOTE: You cannot configure IGMP snooping on a secondary VLAN.

To enable IGMP snooping and configure individual options as needed for your network
by using the CLI:
1.
Enable IGMP snooping on a VLAN:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan
2.
Configure the limit for the number of multicast groups allowed on the ge-0/0/1
interface to 50.
[edit protocols]
group-limit 50
Configuring IGMP Snooping (CLI Procedure)
813
3.
Configure the switch to immediately remove a multicast group membership

from an interface when it receives a leave message from that interface and
suppress the sending of any group-specific queries for the multicast group
(IGMPv2 only):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan immediate-leave
4.
Statically configure IGMP group membership on a port:

[edit protocols]
static group 225.100.100.100
5.
Statically configure an interface as a switching interface toward a multicast router

(the interface to receive multicast traffic):
[edit protocols]
6.
Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Related Topics
show igmp-snooping membership
show igmp-snooping route
show igmp-snooping statistics
show igmp-snooping vlans
Configuring IGMP Snooping (J-Web Procedure)

enabled, the EX Series switch monitors the IGMP transmissions between a host (a
network device) and a multicast router, keeping track of the multicast groups and
associated member interfaces. The switch uses that information to make intelligent
interfaces.
814
Chapter 45: Configuring IGMP Snooping and Multicast
You can configure IGMP snooping on one or more VLANs to allow the switch to
examine IGMP packets and make forwarding decisions based on packet content. By
default, IGMP snooping is enabled on EX Series switches.
To enable IGMP snooping and configure individual options using the J-Web interface:
1.
Select Configure > Switching > IGMP Snooping.
2.
Click one:
AddCreates an IGMP snooping configuration for the VLAN.
EditModifies an IGMP snooping configuration for the VLAN.
DeleteDeletes a selected VLAN from the IGMP snooping configuration.
When you are adding or editing an IGMP snooping configuration, enter

information as described in Table 111 on page 815
3.
Click OK to apply changes to the configuration or click Cancel without saving

changes.
To disable IGMP snooping on a VLAN, select the VLAN from the list and click Disable.
Table 111: IGMP Snooping Configuration Fields
Field
Function
Your Action
VLAN Name
Specifies the VLAN on which to enable

IGMP snooping.
Select a VLAN from the list to add it to

the snooping configuration.
Immediate Leave
Immediately removes a multicast group

membership from an interface when it
receives a leave message from that
interface and suppresses the sending of
any group-specific queries for the
multicast group
To enable the option, select the check

box.
Specifies the number of timeout

intervals the switch waits before timing
out a multicast group.
Type a value.
Robust Count
To disable the option, clear the check

box.
815
Table 111: IGMP Snooping Configuration Fields (continued)

Field
Function
Your Action
Interfaces List
Statically configures an interface as a

switching interface toward a multicast
router (the interface to receive multicast
traffic).
Click one:
Related Topics
816
AddAdds an interface to the

IGMP snooping configuration.
1.
Select an interface from the

list.
2.
Select Multicast Router

Interface.
3.
Type the maximum number

of groups an interface can
join.
4.
In Static, choose one:
Click Add, type a group

IP address, and click OK.
Select a group and click

Remove to remove the
group membership.
EditEdits the interface settings

for the IGMP snooping
configuration.
RemoveDeletes an interface
configured for IGMP snooping.
Procedure)
Generally, you do not need to explicitly set the group membership timeout value for
IGMP snooping groups on an EX Series switch. The group membership timeout value,
which determines how long the switch waits before removing an IGMP snooping
group from its multicast cache table. is implicitly set to 260 seconds when you
configure IGMP snooping.
When you enable IGMP snooping on a switch, the query-interval and
query-response-interval values are set to their default values and are applied to all
VLANs created on the switch. The default values are:
query-interval125 seconds
query-response-interval10 seconds
The software automatically calculates the group membership timeout value for an
IGMP snooping-enabled switch by multiplying the query-interval value by 2 and then
adding the query-response-interval value. For example, using the default values: (125
x 2) + 10) = 260.
If you need to explicitly set the group membership timeout value, you reset the
query-interval and query-response-interval values at the [edit protocols igmp] hierarchy
level. (Notice that you are not resetting the values at the [edit protocols igmp-snooping]
hierarchy level.) When you reset these values, the IGMP snooping configuration
inherits the new values and recalculates the group membership timeout value
accordingly. For more information on changing these values, see the JUNOS Multicast
Protocols Configuration Guide at
To change the IGMP snooping group membership timeout value to 350:
1.
Configure the query-interval value to be 150:

[edit protocols]
user@switch# set igmp query-interval 150
2.
Configure the query-response-interval value to be 50:

[edit protocols]
user@switch# set igmp query-response-interval 50
Related Topics
Verifying That the IGMP Snooping Group Query Timeout Value Has Been Changed
Correctly on page 822
Changing the IGMP Snooping Group Query Membership Timeout Value (CLI Procedure)
817
Configuring Multicast VLAN Registration (CLI Procedure)

Multicast VLAN registration (MVR) allows hosts that are not part of a multicast source
VLAN (MVLAN) to still receive multicast streams from the MVLAN, allowing an MVLAN
to be shared across a Layer 2 network. Hosts remain in their own VLANs for
bandwidth and security reasons but are able to receive multicast streams from the
MVLAN.
You can configure one or more VLANs on a switch to be MVLANs or MVR receiver
VLANs. By default, MVR is not configured on EX Series switches.
NOTE: MVR is supported on VLANs running IGMP version 2 (IGMPv2) only.
NOTE: When configuring MVR, the following restrictions apply:
You cannot configure a VLAN that contains an access port to be an MVR source
VLAN.
You cannot enable multicast protocols on VLAN interfaces that are members of
MVLANs.
If you configure an MVLAN in proxy mode, IGMP snooping proxy mode will be
automatically enabled on all MVR receiver VLANs of this MVLAN. If a VLAN is
an MVR receiver VLAN for multiple MVLANs, all of the MVLANs must have proxy
mode enabled or all must have proxy mode disabled. You can enable proxy
mode only on VLANs that are configured as MVR source VLANs and that are not
configured for Q-in-Q tunneling.
After you configure a VLAN as an MVLAN, that VLAN is no longer available for
other uses.
To configure MVR:
1.
Configure the VLAN named mv0 to be an MVLAN:

[edit protocols]
user@switch# set igmp-snooping vlan mv0 data-forwarding source groups
225.10.0.0/16
2.
Configure the MVLAN mv0 to be a proxy VLAN:

[edit protocols]
user@switch# set igmp-snooping vlan mv0 proxy sourceaddress 10.0.0.1
3.
Configure the VLAN named v2 to be an MVR receiver VLAN:

[edit protocols]
818
user@switch# set igmp-snooping vlan v2 data-forwarding receiver source-vlans

mv0
4.
Install forwarding entries in the MVR receiver VLAN:

[edit protocols]
user@switch# set igmp-snooping vlan mv0 data-forwarding receiver install
Related Topics

page 806
819
820
Chapter 46
Monitoring IGMP Snooping on page 821
Monitoring IGMP Snooping

Purpose
Action
Use the monitoring feature to view status and information about IGMP snooping
configuration on your EX Series switch.
To display IGMP snooping details in the J-Web interface, select Monitor > Switching
> IGMP Snooping.
To display IGMP snooping details in the CLI, enter the following commands:
Meaning
Table 112 on page 821 summarizes the IGMP snooping details displayed.
Table 112: Summary of IGMP Snooping Output Fields

Field
Values
IGMP Snooping Monitor

VLAN
The VLAN for which IGMP snooping is enabled.
Interfaces
Indicates the interfaces configured as switching interfaces that are associated with the
multicast router.
Groups
Indicates the number of the multicast groups learned by the VLAN.
MRouters
Specifies the multicast router.
Receivers
Specifies the multicast receiver.
IGMP Route Information

VLAN
The VLAN for which IGMP snooping is enabled.
Monitoring IGMP Snooping
821
Table 112: Summary of IGMP Snooping Output Fields (continued)

Field
Values
Next-Hop
Specifies the next hop assigned by the switch after performing the route lookup.
Group
Indicates the multicast groups learned by the VLAN.
Related Topics
Correctly
Purpose
Action
Verify that the IGMP snooping group query timeout value has been changed correctly
from its default value.
Display the IGMP protocol information:
user@switch> show configuration protocols igmp
query-interval 150;
query-response-interval 50;
accounting;
interface vlan.43 {
version 2;
}
Display the IGMP snooping membership information, which contains the group query
timeout value that was derived from the IGMP configuration:
user@switch> show igmp-snooping membership detail
VLAN: v43 Tag: 43 (Index: 4)
Group: 225.0.0.1
Receiver count: 1, Flags: <v2hosts>
ge-0/0/15.0 Uptime: 00:00:05 timeout: 350
Meaning
When you enable IGMP snooping on a switch, the query-interval and

query-response-interval values are set to their default values and are applied to all
VLANs created on the switch. The IGMP snooping group timeout value is derived
from these default settings. Based on the default values, the initial IGMP snooping
group query timeout value is 260.
To change the group query timeout value, change the query-interval and
query-response-interval values at the [edit protocols igmp] hierarchy level. The IGMP
snooping group query timeout value is then recalculated based on the new IGMP
configuration settings.
822
Verifying That the IGMP Snooping Group Query Timeout Value Has Been Changed Correctly
Chapter 46: Verifying IGMP Snooping and Multicast
The output from the show protocols igmp command shows the revised IGMP
configuration settings for query-interval and query-response-interval. You know that
these values have been revised because they are different from the default values.
The output from the show igmp-snooping membership detail command shows the
revised group query timeout value, 350, which was derived from the new IGMP
configuration settings.
Related Topics
823
824
Chapter 47
Configuration Statements for IGMP

Snooping and Multicast

protocols {
connections {
}
}
dot1x {
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
}
}
}
gvrp {
<enable | disable>;
825

disable;
}
}
igmp-snooping {
traceoptions {
<match regex>;
}
data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
lldp {
disable;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
826
Chapter 47: Configuration Statements for IGMP Snooping and Multicast
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
path destination {
}
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
traceoptions {
827

no-world-readable>;
flag flag;
}
}
oam {
ethernet{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
828
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
829
block;
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
Related Topics
830


877


on page 1661
data-forwarding
Syntax
Hierarchy Level
Release Information
Description
data-forwarding {
source {
}
receiver {
install;
}
}
[edit protocols igmp-snooping vlan vlan-id | vlan-number]

Configure the VLAN to be a multicast source VLAN (MVLAN) or a multicast VLAN
registration (MVR) receiver VLAN. Each data-forwarding VLAN, which can be a
multicast source VLAN (MVLAN) or a multicast receiver VLAN, must have exactly one
source statement or exactly one receiver statement. A data-forwarding VLAN can
operate only in IGMPv2 mode.
Default
Related Topics
Disabled.

page 806
data-forwarding
831
disable
Syntax
Hierarchy Level
Release Information
Description
disable {
}
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Disable IGMP snooping on all interfaces in a VLAN or on a specific VLAN interface.
Default
If you do not specify an interface, all interfaces in the given VLAN are disabled.
Options
interface-name Name of the interface.

Related Topics

group
Syntax
Hierarchy Level
Release Information
Description

Configure a static multicast group using a valid IP multicast address.
None.
Options
ip-address IP address of the multicast group receiving data on an interface.
Related Topics
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name static]
Default
832
group ip-address;
disable

groups
Syntax
Hierarchy Level
Release Information
Description
[edit protocols igmp-snooping vlan vlan-id | vlan-number data-forwarding source]

Specify the IP address range of the multicast VLAN (MVLAN) source interfaces.
Default
Disabled.
Options
group-prefixIP address range of the source group. Each MVLAN must have exactly
one groups statement. If there are multiple MVLANs on the switch, their group
ranges must be unique.

Related Topics


page 806
groups
833
group-limit
Syntax
Hierarchy Level
Release Information
Description
group-limit limit;
[edit protocols igmp-snooping vlan vlan-id | vlan-number interface interface-name]

Configure a limit for the number of multicast groups allowed on the specified interface.
After this limit is reached, new reports are ignored and related flows are not flooded
on the interface.
Default
No group limits are configured.
Options
limit Number that represents the maximum number of multicast groups allowed

Related Topics
834
group-limit

group
igmp-snooping
Syntax
Hierarchy Level
Release Information
Description
igmp-snooping {
traceoptions {
regex>;
}
vlan vlan-id | vlan-name {
data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
[edit protocols]

Enable and configure IGMP snooping on EX Series switches.
Default
Related Topics
IGMP snooping is enabled by default.

igmp-snooping
835
immediate-leave
Syntax
Hierarchy Level
Release Information
Description
immediate-leave;

(Applies only to switches running IGMPv2.) After the switch receives a leave group
membership message from a host, immediately remove the group membership from
the interface and suppress the sending of any group-specific queries for the multicast
group.
NOTE: When configuring this statement, ensure that the IGMP interface has only
one IGMP host connected. If more than one IGMPv2 host is connected to the switch
through the same interface and one of the hosts sends a leave message, the switch
removes all hosts on the interface from the multicast group. The switch loses contact
with the hosts in the multicast group that did not send a leave message until they
send join requests in response to the next general multicast listener query from the
router.
Default
Related Topics
836
immediate-leave
The immediate-leave feature is disabled.

install
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
install;
[edit protocols igmp-snooping vlan vlan-id | vlan-number data-forwarding receiver]

Install forwarding entries in the multicast receiver VLAN. By default, only the multicast
VLAN (MVLAN) installs forwarding entries for MVLAN groups.
Disabled.

page 806
install
837
interface
Syntax
Hierarchy Level
Release Information
Description
group-limit limit;
static {
group ip-address;
}
}

Enable IGMP snooping on an interface and configure interface-specific properties.
Default
None.
Options
interface-nameName of the interface.

Related Topics

Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
838
interface
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name]

Statically configure an interface as a switching interface toward a multicast router
(the interface to receive multicast traffic).
Disabled.
proxy
Syntax
Hierarchy Level
Release Information
Description
proxy source-address source-address;

[edit protocols igmp-snooping vlan vlan-id | vlan-number]

Specify that the VLAN operates in proxy mode. The proxy option is only accepted
for a VLAN acting as a data-forwarding source.
Default
Disabled.
Options
source-address source-addressIP address of the source VLAN to act as proxy.

Related Topics


page 806
proxy
839
query-interval
Syntax
Hierarchy Level
Release Information

NOTE: This statement has been deprecated and might be removed from future
product releases. We strongly recommend that you phase out its use.
Description
Configure how frequently the switch sends host-query timeout messages to a multicast
group.
Default
125 seconds.
Options
secondsNumber of seconds between host-query timeout messages.

Related Topics
840
query-interval

query-last-member-interval
Syntax
Hierarchy Level
Release Information

Description
Configure the interval between group-specific query timeout messages sent by the
switch.
Default
1 second.
Options
secondsAmount of time between group-specific query timeout messages.
Range: 1 though 1024 seconds

Related Topics

query-last-member-interval
841
query-response-interval
Syntax
Hierarchy Level
Release Information

Description
Configure the length of time the switch waits to receive a response to a specific query
message from a host.
Default
10 seconds.
Options
seconds Number of seconds the switch waits to receive a response to a specific
query message from a host.

Related Topics
842

query-response-interval
receiver
Syntax
Hierarchy Level
Release Information
Description
receiver {
install;
}
[edit protocols igmp-snooping vlan vlan-id | vlan-number data-forwarding]

Configure a VLAN as a multicast receiver VLAN of the multicast VLAN (MVLAN).
Default
Related Topics
Disabled.

page 806
robust-count
Syntax
Hierarchy Level
Release Information
Description

Configure the number of intervals the switch waits before removing a multicast group
from the multicast forwarding table. The length of each interval is configured using
the query-interval statement.
Default
Options
number Number of intervals the switch waits before timing out a multicast group.
Range: 2 through 10
Related Topics

receiver
843
source
Syntax
Hierarchy Level
Release Information
Description
source {
}
[edit protocols igmp-snooping vlan vlan-number data-forwarding]

Configure a VLAN to be a multicast source VLAN (MVLAN).
source VLAN.
Default
Related Topics
844
source
Disabled.

page 806
source-vlans
Syntax
Hierarchy Level
Release Information
Description
[edit protocols igmp-snooping vlan vlan-id | vlan-number data-forwarding receiver]

Specify a list of multicast VLANs (MVLANs) from which this multicast receiver VLAN
receives multicast traffic. Either all of these MVLANs must be in proxy mode or none
of them can be in proxy mode.
Default
Disabled.
Options
vlan-listNames of the MVLANs.

Related Topics


page 806
source-vlans
845
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
regex>;
}

Define tracing operations for IGMP snooping.
Default
The traceoptions feature is disabled by default.
Options
file filename Name of the file to receive the output of the tracing operation. Enclose
and so on, until the maximum number of trace files is reached ( xk to specify
KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace
file is overwritten. If you specify a maximum number of files, you also must
specify a maximum file size with the size option.
Default: 3 files
flag flag Tracing operation to perform. To specify more than one tracing operation,
846
traceoptions
generalTrace general IGMP snooping protocol events.
leaveTrace leave group messages (IGMPv2 only).
normalTrace normal IGMP snooping protocol events.
packetsTrace all IGMP packets.
policyTrace policy processing.
queryTrace IGMP membership query messages.
reportTrace membership report messages.
routeTrace routing information.
stateTrace IGMP state transitions.
taskTrace routing protocol task processing.
timerTrace routing protocol timer processing.
match regex (Optional) Refine the output to include lines that contain the regular
expression.
size size (Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabytes
Default: 128 KB
Related Topics

traceoptions
847
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan (vlan-id | vlan-name) {

data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}

Configure IGMP snooping parameters for a VLAN.
mode command line. Note that only one VLAN is displayed for a VLAN range. For
IGMP snooping, secondary private VLANs are not listed.
848
vlan
Default
IGMP snooping options apply to the specified VLAN.
Options
vlan-idNumeric tag for a VLAN.
Range: 0 through 4095. Tags 0 and 4095 are reserved by JUNOS Software, and
you should not configure them.
Related Topics

vlan
849
850
vlan
Chapter 48
Operational Mode Commands for IGMP

Snooping and Multicast
851
clear igmp-snooping membership

Syntax
Release Information
Description
Options

<vlan vlan-id | vlan-name>

Clear IGMP snooping membership information.
vlan vlan-id Numeric tag identifier of the VLAN.
vlan vlan-name Name of the VLAN.

Related Topics
clear igmp-snooping
membership
852
view
clear igmp-snooping membership on page 852

user@switch> clear igmp-snooping membership vlan employee-vlan
Chapter 48: Operational Mode Commands for IGMP Snooping and Multicast
clear igmp-snooping statistics

Syntax
Release Information
Description
Related Topics
clear igmp-snooping
statistics

Clear IGMP snooping statistics.
view
clear igmp-snooping statistics on page 853

user@switch> clear igmp-snooping statistics
853

Syntax
Release Information
Description
Options

<brief | detail>

Display IGMP snooping membership information.
noneDisplay general parameters.
interface interface-name(Optional) Display IGMP snooping information for the
specified interface.
vlan vlan-id | vlan-name(Optional) Display IGMP snooping information for the
specified VLAN.
Related Topics

Output Fields
view
Monitoring IGMP Snooping on page 821
show igmp-snooping membership on page 855

show igmp-snooping membership detail on page 856
Table 49 on page 322 lists the output fields for the show igmp-snooping membership
Table 113: show igmp-snooping membership Output Fields

Field Name
Field Description
Level of Output
VLAN
Name of the VLAN.
All
Interfaces
Interfaces assigned to the VLAN.
All
Tag
Numerical identifier of the VLAN.
detail
854
Table 113: show igmp-snooping membership Output Fields (continued)

Field Name
Field Description
Level of Output
Router
interfaces
Names multicast router interfaces.
detail
static or dynamic
Whether the multicast router

interface is static or dynamic.
detail
Uptime
For static interfaces, amount of

time since the interface was
configured as a multicast router
interface; for dynamic interfaces,
amount of time since the first
query was received on interface.
detail
timeout
Query timeout in seconds.
detail
Group
IP multicast address of the

multicast group.
detail
Receiver count
Number of interfaces that have

membership in a multicast group.
detail
Flags
IGMP version of the host sending

a join message.
detail
Uptime
Amount of time a multicast group

has been active on the interface.
detail
timeout
Time (in seconds) left until the

entry for the multicast group is
removed.
All
Last reporter
The last host to report membership

for the multicast group.
detail
Include source
Source addresses from which

multicast streams are allowed
based on IGMPv3 reports.
detail
show igmp-snooping
membership
user@switch> show igmp-snooping membership

VLAN: v1
224.1.1.1
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.3
*
258 secs
224.1.1.5
*
258 secs
224.1.1.7
*
258 secs
224.1.1.9
*
258 secs
224.1.1.11
*
258 secs
855
show igmp-snooping
membership detail
856
user@switch> show igmp-snooping membership detail

Group: 225.0.0.2
Receiver count: 1, Flags: <V3-hosts>
ge-0/0/15.0 Uptime: 00:00:11 timeout: 248 Last reporter: 10.2.10.16
Include source: 1.2.1.1, 1.3.1.1
Group: 225.0.0.1
Router interfaces:
ge-0/0/3.0 static Uptime: 00:08:45
ge-0/0/2.0 static Uptime: 00:08:45
ge-0/0/4.0 dynamic Uptime: 00:16:41 timeout: 254
Group: 225.0.0.3
Group: 225.1.1.1
Group: 225.2.2.2
Receiver count: 1, Flags: <V2-hosts Static>
ge-0/0/5.0 Uptime: 00:23:13

Syntax
Release Information
Description
Options

<brief | detail>
<ethernet-switching <brief | detail | vlan ( vlan-id | vlan-name )>>
<inet <brief | detail | vlan ( vlan-id | vlan-name )>>
<vlan vlan-id | vlan-name >

Display IGMP snooping route information.
brief | detail (Optional) Display the specified level of output.
ethernet-switching (Optional) Display Ethernet switching information.
inet (Optional) Display inet information.
vlan vlan-id | vlan-name (Optional) Display route information for the specified
VLAN.
Related Topics

Output Fields
view
show igmp-snooping route on page 857

show igmp-snooping route vlan v1 on page 858
Table 49 on page 322 lists the output fields for the show igmp-snooping route command.
Table 114: show igmp-snooping route Output Fields

Field Name
Field Description
Table
(For internal use only. Value is always 0.)
VLAN
Name of the VLAN.
Group
Multicast group address.
Next-hop
ID associated with the next-hop device.
show igmp-snooping
route
user@switch> show igmp-snooping route

VLAN
Group
Next-hop
V11
224.1.1.1, *
533
Interfaces: ge-0/0/13.0, ge-0/0/1.0
857
VLAN
v12
show igmp-snooping
route vlan v1
858
Group
Next-hop
224.1.1.3, *
534
Interfaces: ge-0/0/13.0, ge-0/0/0.0
user@switch> show igmp-snooping route vlan v1

Table: 0
VLAN
Group
Next-hop
v1
224.1.1.1, *
1266
v1
224.1.1.3, *
1266
v1
224.1.1.5, *
1266
v1
224.1.1.7, *
1266
v1
224.1.1.9, *
1266
v1
224.1.1.11, *
1266

Syntax
Release Information
Description
Related Topics

Output Fields

Display IGMP snooping statistics.
view
show igmp-snooping statistics on page 859

Table 49 on page 322 lists the output fields for the show igmp-snooping statistics
Table 115: show igmp-snooping statistics Output Fields

Field Name
Field Description
Bad length
IGMP packet has illegal or bad length.
Bad checksum
IGMP or IP checksum is incorrect.
Invalid interface
Packet was received through an invalid interface.
Receive unknown
Unknown IGMP type.
Timed out
Number of timeouts for all multicast groups.
IGMP Type
Type of IGMP message (Query, Report, Leave, or Other).
Received
Number of IGMP packets received.
Transmitted
Number of IGMP packets transmitted.
Recv Errors
Number of general receive errors.
show igmp-snooping
statistics
user@switch> show igmp-snooping statistics

Bad length: 0 Bad checksum: 0 Invalid interface: 0
Not local: 0 Receive unknown: 0 Timed out: 58
IGMP Type
Queries:
Reports:
Leaves:
Other:
Received
74295
18148423
0
0
Transmitted
0
0
0
0
Recv Errors
0
16333523
0
0
859

Syntax
Release Information
Description
Options

<brief | detail>

Display IGMP snooping VLAN information.
brief | detail (Optional) Display the specified level of output.
vlan vlan-id | vlan vlan-number (Optional) Display VLAN information for the specified
VLAN.
Related Topics
Output Fields
view
show igmp-snooping vlans on page 861

show igmp-snooping vlans vlan v10 on page 861
show igmp-snooping vlans vlan v10 detail on page 861
Table 49 on page 322 lists the output fields for the show igmp-snooping vlans command.
Table 116: show igmp-snooping vlans Output Fields

Field Name
Field Description
Level of Output
VLAN
Name of the VLAN.
All levels
Interfaces
Number of interfaces in the VLAN.
All levels
Groups
Number of groups in the VLAN
All levels
MRouters
Number of multicast routers associated with the VLAN.
All levels
Receivers
Number of host receivers in the VLAN.
All levels
Tag
Numerical identifier of the VLAN.
Detail
vlan-interface
Internal VLAN interface identifier.
Detail
Membership timeout
Membership timeout value.
Detail
860
Table 116: show igmp-snooping vlans Output Fields (continued)

Field Name
Field Description
Level of Output
Querier timeout
Timeout value for interfaces dynamically marked as router

interfaces (interfaces that receive queries). When the querier
timeout is reached, the switch marks the interface as a host
interface.
Detail
Interface
Name of the interface.
Detail
Reporters
Number of dynamic groups on an interface.
Detail
show igmp-snooping
vlans
user@switch> show igmp-snooping vlans

VLAN
default
v1
v10
v11
v180
v181
v182
show igmp-snooping
vlans vlan v10
user@switch> show igmp-snooping vlans vlan v10

user@switch> show igmp-snooping vlans vlan v10
VLAN
Interfaces Groups MRouters Receivers
v10
1
0
0
0
show igmp-snooping
vlans vlan v10 detail
user@switch> show igmp-snooping vlans vlan v10 detail

VLAN: v10, Tag: 10, vlan-interface: vlan.10
Membership timeout: 260, Querier timeout: 255
Interface: ge-0/0/10.0, tagged, Groups: 0, Reporters: 0
Interfaces Groups MRouters Receivers

0
0
0
0
11
50
0
0
1
0
0
0
1
0
0
0
3
0
1
0
3
0
0
0
3
0
0
0
861
862
Part 11
Access Control
802.1X and MAC RADIUS Authentication Overview on page 865
Examples of Configuring Access Control on page 883
Configuring Access Control on page 941
Verifying 802.1X and MAC RADIUS Authentication on page 963
Configuration Statements for Access Control on page 967
Operational Commands for 802.1X on page 1031
Access Control
863
864
Access Control
Chapter 49
802.1X and MAC RADIUS Authentication

Overview
Understanding 802.1X Authentication on EX Series Switches on page 867

Understanding Dynamic VLANs for 802.1X on EX Series Switches on page 874
Understanding Guest VLANs for 802.1X on EX Series Switches on page 875
Understanding 802.1X and RADIUS Accounting on EX Series Switches on page 876
Understanding 802.1X and LLDP and LLDP-MED on EX Series

Understanding Static MAC Bypass of Authentication on EX Series

Understanding 802.1X and VSAs on EX Series Switches on page 882
802.1X for EX Series Switches Overview

IEEE 802.1X provides network edge security, protecting Ethernet LANs from
unauthorized user access.
How 802.1X Authentication Works

802.1X works by using an Authenticator Port Access Entity (the switch) to block all
traffic to and from a supplicant (client) at the port until the supplicant's credentials
are presented and matched on the Authentication server (a RADIUS server). When
authenticated, the switch stops blocking traffic and opens the port to the supplicant.
The supplicant is authenticated in either single mode, single-secure mode, or multiple
mode:
singleAuthenticates only the first supplicant. All other supplicants who connect
later to the port are allowed full access without any further authentication. They
effectively piggyback on the first supplicants authentication.
865
single-secureAllows only one supplicant to connect to the port. No other
supplicant is allowed to connect until the first supplicant logs out.
multipleAllows multiple supplicants to connect to the port. Each supplicant will
be authenticated individually.
Network access can be further defined using VLANs and firewall filters, which both
act as filters to separate and match groups of supplicants to the areas of the LAN
they require.
802.1X Features Overview

802.1X features on Juniper Networks EX Series Ethernet Switches are:
Guest VLANProvides limited access to a LAN, typically just to the Internet, for
supplicants that fail 802.1X authentication.
Dynamic VLANEnables a supplicant, after authentication, to be a member of

a VLAN dynamically.
Private VLANEnables configuration of 802.1X authentication on interfaces that

are members of private VLANs (PVLANs).
Dynamic changes to a user sessionAllows the switch administrator to terminate

an already authenticated session. This feature is based on support of the RADIUS
Disconnect Message defined in RFC 3576.
Support for VoIPSupports IP telephones. If the phone is 802.1X-enabled, it is

authenticated like any other supplicant. If the phone is not 802.1X-enabled, but
has another 802.1X-compatible device connected to its data port, that device is
authenticated, and then VoIP traffic can flow to and from the phone (providing
that the interface is configured in single mode and not in single-secure mode).
RADIUS accountingSends accounting information to the RADIUS accounting

server. Accounting information is sent to the server whenever a subscriber logs
in or logs out and whenever a subscriber activates or deactivates a subscription.
Vendor Specific Attributes (VSAs)Supports the Juniper-Switching-Filter attribute

on the RADIUS authentication server that can be used further define a supplicant's
access during the 802.1X authentication process. Centrally configuring VSAs on
the authentication server does away with the need to configure these same
attributes in the form of firewall filters on every switch in the LAN to which the
supplicant may connect to the LAN. This feature is based on RLI 4583, AAA
RADIUS BRAS VSA Support.
Supported Features Related to 802.1X Authentication

802.1X does not replace other security technologies. 802.1X works together with
port security features, such as DHCP snooping, dynamic ARP inspection (DAI), and
MAC limiting, to guard against spoofing.
Supported features related to authentication include:
866
Static MAC bypassProvides a bypass mechanism to authenticate devices that

are not 802.1X-enabled (such as printers). Static MAC bypass connects these
devices to 802.1X-enabled ports, bypassing 802.1X authentication. See
Chapter 49: 802.1X and MAC RADIUS Authentication Overview
Understanding Static MAC Bypass of Authentication on EX Series Switches on

page 879.
Related Topics
MAC RADIUS authenticationProvides a means to enable or disable MAC

authentication independently of whether 802.1X authentication is enabled. See
Understanding MAC RADIUS Authentication on EX Series Switches on page
872.

877
Understanding 802.1X and RADIUS Accounting on EX Series Switches on page

876

Understanding 802.1X Authentication on EX Series Switches

Juniper Networks EX Series Ethernet Switches use 802.1X authentication to implement
access control in an enterprise network. Supplicants (hosts) are authenticated at the
initial connection to your LAN. By authenticating supplicants before they receive an
IP address from a DHCP server, unauthorized supplicants are prevented from gaining
access to your LAN.
The 802.1X standard is based on EAP (Extensible Authentication Protocol), a universal
authentication framework. EAP is not an authentication mechanism by itself. Instead,
EAP provides some common functions and a negotiation method to determine the
authentication mechanism (EAP method) used between the supplicant and the
authentication server. EAP methods include IETF standards and proprietary standards.
EAP methods supported on EX Series switches are:
EAP-MD5
EAP-TLS
EAP-TTLS
EAP-PEAP
A LAN network configured for 802.1X authentication contains three basic components:
SupplicantThe IEEE term for a host that requests to join the network. The host
can be responsive or nonresponsive. A responsive host is one on which 802.1X
is enabled and provides authentication credentials; specifically, a username and
password for EAP MD5, or a username and client certificates for EAP-TLS,
EAP-TTLS, and EAP-PEAP. A nonresponsive host is one on which 802.1X is not
enabled, but can be authenticated using a MAC-based authentication method.
867
Authenticator Port Access EntityThe IEEE term for the authenticator. The EX
Series switch is the authenticator and it controls access by blocking all traffic to
and from supplicants until they are authenticated.
Authentication server The authentication server contains the backend database

that makes authentication decisions. It contains credential information for each
supplicant that can connect to the network. The authenticator forwards credentials
supplied by the supplicant to the authentication server. If the credentials
forwarded by the authenticator match the credentials in the authentication server
database, access is granted. If the credentials forwarded do not match, access
is denied. The EX Series switches support RADIUS authentication servers.
Figure 43 on page 869 illustrates the basic deployment topology for 802.1X on an EX
Series switch:
868
Figure 43: Example 802.1X Topology
869
The communication protocol between the supplicant and the EX Series switch is
Extensible Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP
designed to work with Ethernet networks. The communication protocol between the
authentication server and the switch is RADIUS.
The authentication process requires multiple message exchanges between the
supplicant and the authentication server. The switch that is between the supplicant
and the authentication server is the authenticator. It acts as an intermediary,
converting EAPOL messages to RADIUS messages and vice versa.
Figure 44 on page 871 illustrates the authentication process:
870
Figure 44: Authentication Process
The basic authentication process works like this:
871
1.
Authentication is initiated by the client or the switch. The client initiates

authentication by sending an EAPOL-start message, or the switch initiates
authentication when it receives the first data packet from the client.
NOTE: You can configure the maximum number of times an EAPOL request packet
is retransmitted and how long the port waits before retransmitting to the supplicant.
For information, see Configuring 802.1X Interface Settings (CLI Procedure) on page
943.
2.
If the MAC address is in the static MAC bypass list the switch accepts the client
without querying the RADIUS server.
3.
When the switch port (authenticator) detects a new supplicant connecting to the
LAN network, the port on the authenticator is enabled and set to the initialized
state. In this state, only 802.1X traffic is allowed. Other traffic, such as DHCP
and HTTP, is blocked at the data link layer.
4.
The authenticator sends a RADIUS access request message to the RADIUS server
to allow the supplicant access to the LAN.
5.
The authentication server accepts or rejects the access request. If it accepts the
request, the authentication server sends a RADIUS access challenge. If the
challenge is met by the supplicant, the authenticator sets the port to the
authorized state and normal traffic is then accepted to pass through the port. If
the authentication server rejects the RADIUS access request, the authenticator
sets the port to the unauthorized state, blocking all traffic.
6.
When the supplicant disconnects from the network, the supplicant sends an
EAP-logoff message to the authenticator. The authenticator then sets the port to
the unauthorized state, once again blocking all non-EAP traffic.
The 802.1X authentication feature on an EX Series switch is based upon the IEEE
802.1D standard Port-Based Network Access Control.
Related Topics

Configurations on an EX Series Switch on page 907
Configuring 802.1X Interface Settings (CLI Procedure) on page 943
Understanding MAC RADIUS Authentication on EX Series Switches

You can configure MAC RADIUS authentication on interfaces of a Juniper Networks
EX Series Ethernet Switch to which hosts that are not 802.1X-enabled are connected.
You can configure both MAC RADIUS authentication and 802.1X authentication on
the same interface, or you can configure either authentication method alone. You
can also configure a static MAC bypass list on the switch to specify MAC addresses
allowed on the switch without authentication (see Configuring Static MAC Bypass
of Authentication (CLI Procedure) on page 947).
If 802.1X and MAC RADIUS authentication are both enabled on an interface, the
switch first sends an EAPOL request to the connecting host to attempt 802.1X
872
Understanding MAC RADIUS Authentication on EX Series Switches
authentication. If the host is an 802.1X-enabled device, it responds and the switch

relays a request for authentication to the RADIUS server. If the switch has sent three
requests to the client and has received no response, the switch sends a request to
the RADIUS server for authentication of the MAC address of the host. (The number
of times the switch tries to get an EAPOL response can be configured as can the
timeout period between attempts.)
If MAC RADIUS is enabled on an interface and 802.1X is not enabled (by using the
mac-radius restrict option), there is no delay while the switch attempts to authenticate
the host through 802.1X. Instead, the switch immediately sends a request to the
RADIUS server for authentication of the MAC address of the host. If the MAC address
of a host is configured as permitted on the RADIUS server, the switch opens LAN
access to the host on the switch interface to which it is connected.
Use the mac-radius restrict configuration if you know that only non-802.1X-enabled
hosts will connect to an interface and you want to eliminate the delay that occurs
while the switch determines that a connected device is a non-802.1X-enabled host.
This option is useful when no other 802.1X authentication methods, such as guest
VLAN, are needed on the interface. When you configure the mac-radius restrict on
an interface to eliminate this delay, the switch drops all 802.1X packets. See
Configuring MAC RADIUS Authentication (CLI Procedure) on page 948.
Related Topics
Example: Configuring MAC RADIUS Authentication on an EX Series Switch on

page 902

Switches
Server fail fallback allows you to specify how 802.1X supplicants (hosts) connected
to the switch are supported if the RADIUS authentication server becomes unavailable
or sends an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject
message.
Juniper Networks EX Series Ethernet Switches use 802.1X authentication to implement
access control in an enterprise network. Supplicants are evaluated at the initial
connection to your LAN by an authentication server. If the supplicant is configured
on the authentication server, the supplicant is granted access to the LAN and the EX
Series switch opens the interface to the supplicant to permit access.
A RADIUS server timeout occurs if no RADIUS authentication servers are reachable
when a supplicant logs in and attempts to access the LAN. Server fail fallback allows
you to specify one of four actions to be taken towards supplicants awaiting
authentication when the server is timed out:
Permit authentication, allowing traffic to flow from the supplicant through the
interface as if the supplicant were successfully authenticated by the RADIUS
server.
Deny authentication, preventing traffic from flowing from the supplicant through
the interface. This is the default.
Understanding Server Fail Fallback and 802.1X Authentication on EX Series Switches
873
Move the supplicant to a specified VLAN. (The VLAN must already exist on the
switch.)
Sustain authenticated supplicants that already have LAN access and deny
unauthenticated supplicants. If the RADIUS servers time out during
reauthentication, previously authenticated supplicants are reauthenticated and
new users are denied LAN access.
Server fail fallback is triggered most often during reauthentication when the already
configured and in-use RADIUS server becomes inaccessible. However, server fail
fallback can also be triggered by a supplicants first attempt at authentication through
the RADIUS server.
Server fail fallback also allows you to specify that a supplicant be moved to a specified
VLAN if the switch receives an EAPOL Accept-Reject message. The configured VLAN
name overrides any attributes sent by the server.
Related Topics
Example: Configuring 802.1X Authentication Options When the RADIUS Server

is Unavailable to an EX Series Switch on page 888

Understanding Dynamic VLANs for 802.1X on EX Series Switches

Dynamic VLANs, in conjunction with the 802.1X authentication process, provide
secure access to the LAN for supplicants belonging to different VLANs on a single
port.
When this feature is configured, a supplicant becomes a member of a VLAN
dynamically after 802.1X authentication is successful. Successful authentication
requires that the VLAN ID or VLAN name exist on the switch and match the VLAN
ID or VLAN name sent by the RADIUS server during authentication.
If the VLAN does not exist, the supplicant is unauthenticated. If a guest VLAN is
established, the unauthenticated supplicant is automatically moved to the guest
VLAN.
Related Topics
874

to Corporate Visitors on an EX Series Switch on page 893
Understanding Dynamic VLANs for 802.1X on EX Series Switches
Understanding Guest VLANs for 802.1X on EX Series Switches

Guest VLANs, in conjunction with 802.1X authentication, provide secure access to
the LAN for corporate guests and for supplicants who fail the 802.1X authentication
process.
When a corporate visitor attempts to authenticate on the LAN, and authentication
fails, the visitor is moved to a guest VLAN. A guest VLAN typically provides access
only to the Internet.
A guest VLAN can also provide limited access to the LAN in cases when authentication
fails for supplicants that are not visitors. When authentication fails, the switch receives
an Access-Reject message for the client, and checks if a guest VLAN is configured on
that port. If so, it moves that user alone to the guest VLAN. If the Access-reject
message contains optional VLAN information, then the user is moved to the VLAN
specified by the RADIUS server and not to the locally configured guest-VLAN.
Authentication can fail for many reasons:
The host device does not have supplicant software on it (for example, the host
is not 802.1X-enabled, such as a printer).
The supplicant provided invalid credentialsa username or password that were

not authenticated by the authentication server.
For hosts that are not 802.1X-enabled, the guest VLAN could allow limited access to
a server from which the non-802.1X-enabled host can download the supplicant
software and attempt authentication again.
Related Topics

Understanding Dynamic VLANs for 802.1X on EX Series Switches on page 874
Understanding Guest VLANs for 802.1X on EX Series Switches
875
Understanding 802.1X and RADIUS Accounting on EX Series Switches

Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS
Accounting. Configuring RADIUS accounting on an EX Series switch permits statistical
data about users logging onto or off a LAN to be collected and sent to a RADIUS
accounting server. The statistical data gathered can be used for general network
monitoring, to analyze and track usage patterns, or to bill a user based upon the
amount of time or type of services accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers
to receive the statistical data from the switch, and select the type of accounting data
to be collected.
The RADIUS accounting server you specify can be the same server used for RADIUS
authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS
accounting servers. In the event that the primary server (the first one configured) is
unavailable, each RADIUS server in the list is tried in the order in which they are
configured in the JUNOS Software.
The RADIUS accounting process between a switch and a RADIUS server works like
this:
1.
A RADIUS accounting server listens for User Datagram Protocol (UDP) packets
on a specific port. For example, on FreeRADIUS, the default port is 1813.
2.
The switch forwards an accounting-request packet containing an event record

to the accounting server. For example, a supplicant is authenticated through
802.1X authentication and connected to the LAN. The event record associated
with this supplicant contains an Acct-Status-Type attribute whose value indicates
the beginning of user service for this supplicant. When the supplicant's session
ends, the accounting request will contain an Acct-Status-Type attribute value
indicating the end of user service. The RADIUS accounting server records this
as a stop-accounting record containing session information and the length of the
session.
3.
The RADIUS accounting server logs these events as start-accounting or

stop-accounting records. The records are in a file. On FreeRADIUS, the file name
is the server's address; for example, 122.69.1.250.
4.
The accounting server sends an accounting-response packet back to the switch

confirming it has received the accounting request.
5.
If the switch does not receive a response from the server, it continues to send
accounting requests until an accounting response is returned from the accounting
server.
The statistics collected through this process can be displayed from the RADIUS server;
to see those statistics, the user accesses the log file configured to receive them.
Related Topics
876

page 883
Understanding 802.1X and RADIUS Accounting on EX Series Switches
Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches

Juniper Networks EX Series Ethernet Switches use Link Layer Discovery Protocol
(LLDP) and Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED)
to learn and distribute device information on network links. The information allows
the switch to quickly identify a variety of devices, resulting in a LAN that interoperates
smoothly and efficiently.
LLDP-capable devices transmit information in Type Length Value (TLV) messages to
neighbor devices. Device information can include specifics, such as chassis and port
identification and system name and system capabilities. The TLVs leverage this
information from parameters that have already been configured in the Juniper
Networks JUNOS Software.
LLDP-MED goes one step further, exchanging IP-telephony messages between the
switch and the IP telephone. These TLV messages provide detailed information on
PoE policy. The PoE Management TLVs let the switch ports advertise the power level
and power priority needed. For example, the switch can compare the power needed
by an IP telephone running on a PoE interface with available resources. If the switch
cannot meet the resources required by the IP telephone, the switch could negotiate
with the telephone until a compromise on power is reached.
The switch also uses these protocols to ensure that voice traffic gets tagged and
prioritized with the correct values at the source itself. For example, 802.1p CoS and
802.1Q tag information can be sent to the IP telephone.
EX Series switches support the following basic TLVs:
Chassis IdentifierThe MAC address associated with the local system.
Port identifierThe port identification for the specified port in the local system.
Port DescriptionThe user-configured port description. The port description can
be a maximum of 256 characters.
System NameThe user-configured name of the local system. The system name
can be a maximum of 256 characters.
System DescriptionThe system description containing information about the
software and current image running on the system. This information is not
configurable, but taken from the software.
System CapabilitiesThe primary function performed by the system. The
capabilities that system supports; for example, bridge or router. This information
is not configurable, but based on the model of the product.
Management AddressThe IP management address of the local system.
EX Series switches support the following 802.3 TLVs:
877
Power via MDIA TLV that advertises MDI power support, PSE power pair, and
power class information.
MAC/PHY Configuration StatusA TLV that advertises information about the
physical interface, such as autonegotiation status and support and MAU type.
The information is not configurable, but based on the physical interface structure.
Link AggregationA TLV that advertises if the port is aggregated and its aggregated
port ID.
Maximum Frame SizeA TLV that advertises the Maximum Transmission Unit
(MTU) of the interface sending LLDP frames.
Port VlanA TLV that advertises the VLAN name configured on the interface.
EX Series switches support the following LLDP-MED TLVs:
LLDP MED CapabilitiesA TLV that advertises the primary function of the port.
The capabilities values range 0 through 15:
0 Capabilities
1 Network Policy
2 Location Identification
3 Extended Power via MDI-PSE
4 Inventory
515 Reserved
LLDP-MED Device Class Values:
0 Class not defined.
1 Class 1 Device.
2 Class 2 Device.
3 Class 3 Device.
4 Network Connectivity Device
5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and associated
Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application
types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p
priority bits and Diffserv code points.
Endpoint Location A TLV that advertises the physical location of the endpoint.
Extended Power via MDI A TLV that advertises the power type, power source,
power priority, and power value of the port. It is the responsibility of the PSE
device (network connectivity device) to advertise the power priority on a port.
Related Topics
878
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch

on page 919
Configuring LLDP-MED (CLI Procedure) on page 959
Configuring LLDP (CLI Procedure) on page 957
Understanding Static MAC Bypass of Authentication on EX Series Switches

You can allow hosts access to the LAN without authentication by including their MAC
addresses in the static MAC bypass list. (This list is also known as the exclusion list.)
You might choose to include a device in the static MAC bypass list to:
Allow non-802.1X-enabled devices access to the LAN.
Eliminate the delay that occurs while the switch determines that a connected
device is a non-802.1X-enabled host.
When you configure static MAC on the switch, the MAC address of the host is first
checked in a local database (a user configured list of MAC addresses). If a match is
found, the host is assumed to be successfully authenticated and the interface is
opened up for it. No further authentication is done for that host. If a match is not
found and 802.1X authentication is enabled on the switch, the switch attempts to
authenticate the host through the RADIUS server.
For each MAC address, you can also configure the VLAN that the host is moved to
or the interfaces on which the host connects.
Related Topics
Configuring Static MAC Bypass of Authentication (CLI Procedure) on page 947

Switch on page 897
Understanding 802.1X and VoIP on EX Series Switches

When you use Voice over IP (VoIP), you can connect IP telephones to the switch and
configure IEEE 802.1X authentication for 802.1X-compatible IP telephones. The
802.1X authentication provides network edge security, protecting Ethernet LANs
from unauthorized user access.
VoIP is a protocol used for the transmission of voice through packet-switched
networks. VoIP transmits voice calls using a network connection instead of an analog
phone line.
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and
Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED) provides the
class-of-service (CoS) parameters to the phone.
You can configure 802.1X authentication to work with VoIP in multiple supplicant
or single supplicant mode. In multiple-supplicant mode, the 802.1X process allows
multiple supplicants to connect to the interface. Each supplicant will be authenticated
Understanding Static MAC Bypass of Authentication on EX Series Switches
879
individually. For an example of a VoIP multiple supplicant topology, see Figure 45

on page 880.
Figure 45: VoIP Multiple Supplicant Topology
If an 802.1X-compatible IP telephone does not have an 802.1X host but has another
802.1X-compatible device connected to its data port, you can connect the phone to
an interface in single-supplicant mode. In single-supplicant mode, the 802.1X process
authenticates only the first supplicant. All other supplicants who connect later to the
interface are allowed full access without any further authentication. They effectively
piggyback on the first supplicants authentication. For an example of a VoIP single
supplicant topology, see Figure 46 on page 881 .
880
Figure 46: VoIP Single Supplicant Topology
If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X
and LLDP-MED and have the packets forwarded to a VoIP VLAN,
Related Topics

877

on page 919

Authentication on page 926
Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED

Support on page 932
881
Understanding 802.1X and VSAs on EX Series Switches

Juniper Networks EX Series Ethernet Switches support the configuration of RADIUS
server attributes specific to Juniper Networks. These attributes are known as
vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication
Dial In User Service (RADIUS). Through VSAs, you can configure port-filtering attributes
on the RADIUS server. VSAs are clear text fields sent from the RADIUS server to the
switch as a result of the 802.1X authentication success or failure. The 802.1X
authentication prevents unauthorized user access by blocking a supplicant at the
port until the supplicant is authenticated by the RADIUS server. The VSA attributes
are interpreted by the switch during authentication, and the switch takes appropriate
actions. Implementing port-filtering attributes with 802.1X authentication on the
RADIUS server provides a central location for controlling LAN access for supplicants.
These port-filtering attributes specific to Juniper Networks are encapsulated in a
RADIUS server VSA with the vendor ID set to the Juniper Networks ID number, 2636.
As well as configuring port-filtering attributes through VSAs, you can apply a port
firewall filter that has already been configured on the switch directly to the RADIUS
server. Like port-filtering attributes, the filter is applied during the 802.1X
authentication process, and its actions are applied at the switch port. Adding a port
firewall filter to a RADIUS server eliminates the need to add the filter to multiple
ports and switches. For more information, see Example: Applying a Firewall Filter
to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series
Switch on page 913.
VSAs are only supported for 802.1X single-supplicant configurations and
multiple-supplicant configurations.
Related Topics
882

Filtering 802.1X Supplicants Using RADIUS Server Attributes on page 953
VSA Match Conditions and Actions for EX Series Switches on page 960
Understanding 802.1X and VSAs on EX Series Switches
Chapter 50
Example: Connecting a RADIUS Server for 802.1X to an EX Series

Switch on page 883



Switch on page 897
Example: Configuring MAC RADIUS Authentication on an EX Series

Switch on page 902

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using

RADIUS Server Attributes on an EX Series Switch on page 913
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series

Switch on page 919


Support on page 932
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled

for 802.1X or MAC RADIUS Authentication on page 936
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch

802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use
802.1X to control network access. Only users and devices providing credentials that
have been verified against a user database are allowed access to the network. You
can use a RADIUS server as the user database for 802.1X authentication, as well as
for MAC RADIUS authentication.
This example describes how to connect a RADIUS server to an EX Series switch, and
configure it for 802.1X:
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch
883
Requirements
One EX Series switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication

server acts as the backend database and contains credential information for
hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX Series Switch on page 483.
Configured users on the RADIUS authentication server.

The EX Series switch acts as an authenticator Port Access Entity (PAE). It blocks all
traffic and acts as a control gate until the supplicant (client) is authenticated by the
server. All other users and devices are denied access.
Figure 47 on page 885 shows one EX4200 switch that is connected to the devices
listed in Table 117 on page 886.
884
Requirements
Chapter 50: Examples of Configuring Access Control
885
Table 117: Components of the Topology

Property
Settings
Switch hardware
EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name
default
One RADIUS server
Backend database with an address of 10.0.0.100 connected to the switch at port

ge-0/0/10
In this example, connect the RADIUS server to access port ge-0/0/10 on the EX4200
switch. The switch acts as the authenticator and forwards credentials from the
supplicant to the user database on the RADIUS server. You must configure connectivity
between the EX4200 and the RADIUS server by specifying the address of the server
and configuring the secret password. This information is configured in an access
profile on the switch.
NOTE: For more information about authentication, authorization, and accounting

(AAA) services, please see the JUNOS Software System Basics Configuration Guide at
Configuration
To quickly connect the RADIUS server to the switch, copy the following commands
[edit]
set access radius-server 10.0.0.100 secret juniper
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.0.0.100 10.2.14.200
To connect the RADIUS server to the switch:

1.
Define the address of the server, and configure the secret password. The secret
password on the switch must match the secret password on the server:
[edit access]
user@switch# set radius-server 10.0.0.100 secret juniper
2.
Configure the authentication order, making radius the first method of

authentication:
[edit access profile]
user@switch# set profile1 authentication-order radius
3.
886
Configuration
Configure a list of server IP addresses to be tried in order to authenticate the

supplicant:

user@switch# set profile1 radius authentication-server 10.0.0.100
10.2.14.200
Results

user@switch> show configuration access
radius-server {
10.0.0.100
port 1812;
secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA
}
}
profile profile1{
authentication-order radius;
radius {
authentication-server 10.0.0.100 10.2.14.200;
}
}
}
Verification
Verify That the Switch and RADIUS Server are Properly Connected on page 887
Verify That the Switch and RADIUS Server are Properly Connected
Purpose
Action
Verify that the RADIUS server is connected to the switch on the specified port.
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes
Meaning
Related Topics
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100
to test whether it is reachable across the IP network. ICMP echo responses are being
returned from the server, verifying that the switch and the server are connected.



on page 919
Verification
887
Example: Configuring 802.1X Authentication Options When the RADIUS Server is

Unavailable to an EX Series Switch
Server fail fallback allows you to specify how 802.1X supplicants connected to the
switch are supported if the RADIUS authentication server becomes unavailable or
sends an EAP Access-Reject message.
You use 802.1X to control network access. Only users and devices (supplicants)
providing credentials that have been verified against a user database are allowed
access to the network. You use a RADIUS server as the user database.
This example describes how to configure an interface to move a supplicant to a VLAN
in the event of a RADIUS server timeout:
Requirements

888
Set up a connection between the switch and the RADIUS server. See Example:
Connecting a RADIUS Server for 802.1X to an EX Series Switch on page 883.
Disable firewall filters on the interface. Firewall filters interfere with server fail
fallback operation.
Configured users on the authentication server.
Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch

A RADIUS server timeout occurs if no authentication RADIUS servers are reachable
when a supplicant logs in and attempts to access the LAN. Using server fail fallback,
configure alternative options for supplicants attempting LAN access. You can configure
the switch to accept or deny access to supplicants or to maintain the access already
granted towards supplicants before the RADIUS server timeout. Additionally, you
can configure the switch to move supplicants to a specific VLAN if a RADIUS timeout
occurs or if the RADIUS server sends an EAP Access-Reject message.Figure 47 on
page 885 shows the topology used for this example. The RADIUS server is connected
to the EX4200 switch on access port ge-0/0/10. The switch acts as the authenticator
Port Access Entity (PAE) and forwards credentials from the supplicant to the user
database on the RADIUS server. The switch blocks all traffic and acts as a control
gate until the supplicant is authenticated by the authentication server. A supplicant
is connected to the switch through interface ge-0/0/1.
Table 117 on page 886 describes the components in this topology.
889
Table 118: Components of the Topology

Property
Settings
Switch hardware
EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports.
VLAN names
default VLAN
vlan-sf VLAN
Supplicant
Supplicant attempting access on interface ge-0/0/1
One RADIUS server
Backend database with an address of 10.0.0.100 connected to the switch at port

ge-0/0/10
In this example, configure interface ge-0/0/1 to move a supplicant attempting access

to the LAN during a RADIUS timeout to another VLAN. A RADIUS timeout prevents
the normal exchange of EAP messages that carry information from the RADIUS
server to the switch and permit the authentication of a supplicant. The default VLAN
is configured on interface ge-0/0/1. When a RADIUS timeout occurs, supplicants on
the interface will be moved from the default VLAN to the VLAN named vlan-sf.

(AAA) services, see the JUNOS Software System Basics Configuration Guide at
Configuration
To configure server fail fallback on the switch:
To quickly configure server fail fallback on the switch, copy the following commands
[edit protocols dot1x authenticator]
set interface ge-0/0/1 server-fail vlan-name vlan-sf
To configure an interface to divert supplicants to a specific VLAN when a RADIUS

timeout occurs (here, the VLAN is vlan-sf):
1.
Define the VLAN to which supplicants are diverted:

user@switch# set interface server-fail vlan-name vlan-sf
Results

interfaces {
ge-0/0/1 {
unit 0 {
890
Configuration
vlan {
members default;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name profile52;
interface {
ge-0/0/1.0 {
server-fail vlan-name vlan-sf;
}
}
}
}
}
}
Verification
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS
Timeout on page 891
Verifying That the Supplicants Are Moved to an Alternative VLAN During

a RADIUS Timeout
Purpose
Action
Verify that the interface moves supplicants to an alternative VLAN during a RADIUS
timeout.
Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member
of the default VLAN:
user@switch>
Name
default
show vlans
Tag
Interfaces
ge-0/0/0.0, ge-0/0/1.0*, ge-0/0/5.0*, ge-0/0/10.0,
ge-0/0/12.0*, ge-0/0/14.0*, ge-0/0/15.0, ge-0/0/20.0
v2
77
vlansf
50
None
None
mgmt
me0.0*
Display 802.1X protocol information on the switch to view supplicants that are
authenticated on interface ge-0/0/1.0:
user@switch>
show dot1x interface brief
Verification
891
802.1X Information:
Interface
Role
ge-0/0/1.0
Authenticator
ge-0/0/10.0
Authenticator
ge-0/0/14.0
Authenticator
ge-0/0/15.0
Authenticator
ge-0/0/20.0
Authenticator
State
Authenticated
Initialize
Connecting
Initialize
Initialize
MAC address
00:00:00:00:00:01
User
abc
A RADIUS server timeout occurs. Display the Ethernet switching table to show that
the supplicant with the MAC address 00:00:00:00:00:01 previously accessing the
LAN through the default VLAN is now being learned on the VLAN named vlan-sf:
VLAN
MAC address
Type
v1
*
Flood
vlansf
00:00:00:00:00:01 Learn
default
*
Flood
Age
1:07
-
Interfaces
All-members
ge-0/0/1.0
All-members
Display 802.1X protocol information to show that interface ge-0/0/1.0 is connecting

and will open LAN access to supplicants:
user@switch>
show dot1x interface brief
802.1X Information:
Interface
Role
ge-0/0/1.0
Authenticator
ge-0/0/10.0
Authenticator
ge-0/0/14.0
Authenticator
ge-0/0/15.0
Authenticator
ge-0/0/20.0
Authenticator
Meaning
Related Topics
892
State
Connecting
Initialize
Connecting
Initialize
Initialize
MAC address
User
The command show vlans displays interface ge-0/0/1.0 as a member of the default
VLAN. The command show dot1x interface brief shows that a supplicant (abc) is
authenticated on interface ge-0/0/1.0 and has the MAC address 00:00:00:00:00:01.
A RADIUS server timeout occurs, and the authentication server cannot be reached
by the switch. The command show-ethernet-switching table shows that MAC address
00:00:00:00:00:01 is learned on VLAN vlan-sf. The supplicant has been moved from
the default VLAN to the vlan-sf VLAN. The supplicant is then connected to the LAN
through the VLAN named vlan-sf.

Configuring Server Fail Fallback (CLI Procedure) on page 950

Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to

Corporate Visitors on an EX Series Switch
802.1X on EX Series switches provides LAN access to users who do not have
credentials in the RADIUS database. These users, referred to as guests, are
authenticated and typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X
authentication for it.
Configuration of a Guest VLAN That Includes 802.1X Authentication on page 895
Requirements
One EX Series switch acting as an authenticator interface access entity (PAE).

The interfaces on the authenticator PAE form a control gate that blocks all traffic
to and from supplicants until they are authenticated.

Before you configure guest VLAN authentication, be sure you have:

EX4200 Switch.


As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can provide
limited network access to supplicants who do not belong to a VLAN authentication
group by configuring authentication to a guest VLAN. Typically, guest VLAN access
is used to provide Internet access to visitors to a corporate site. However, you can
also use the guest VLAN feature to provide supplicants that fail 802.1X authentication
to a corporate LAN with access to a VLAN with limited resources.
Figure 49 on page 894 shows the conference room connected to the switch at interface
ge-0/0/1.
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
893
Figure 49: Topology for Guest VLAN Example
894
Table 119: Components of the Guest VLAN Topology

Property
Settings
Switch hardware
EX4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through

ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)
sales, tag 100

support, tag 200
guest-vlan, tag 300
One RADIUS server
Backend database connected to the switch through interface ge-0/0/10
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference
room. Configure this access interface to provide LAN connectivity to visitors in the
conference room who are not authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication

To create a guest VLAN and configure 802.1X authentication, perform these tasks:
To quickly configure a guest VLAN, with 802.1X authentication, copy the following
[edit]
set protocols dot1x authenticator interface all guest-vlan guest-vlan
To configure a guest VLAN that includes 802.1X authentication on an EX Series

switch:
1.
Configure the VLAN ID for the guest VLAN:

[edit]
user@switch# set vlans guest-vlan vlan-id 300
2.
Configure the guest VLAN under dot1x protocols:

[edit]
user@switch# set protocols dot1x authenticator interface all guest-vlan
guest-vlan
Results

protocols {
dot1x {
authenticator {
interface {
all {
Configuration of a Guest VLAN That Includes 802.1X Authentication
895
guest-vlan {
guest-vlan;
}
}
}
}
}
}
vlans {
guest-vlan {
vlan-id 300;
}
}
Verification
Verifying That the Guest VLAN is Configured on page 896
Verifying That the Guest VLAN is Configured

Purpose
Action
Verify that the guest VLAN is created and that an interface has failed authentication
and been moved to the guest VLAN.
user@switch> show vlans
Name
default
Tag
dynamic
40
guest
30
guestvlan
300
Interfaces
ge-0/0/3.0*
None
None
ge-0/0/1.0*
vlan_dyn
None
user@switch> show dot1x interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Guest VLAN membership: guest-vlan
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Reauthentication due in 3307 seconds
896
Verification
Meaning
The output from the show vlans command shows guest-vlan as the the name of the
VLAN and the VLAN ID as 300.
The output from the show dot1x interface ge-0/0/1.0 detail command displays the
Guest VLAN membership field, indicating that a supplicant at this interface failed
802.1X authentication and was passed through to the guest-vlan.
Related Topics

page 883


on page 919
Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch

To allow devices to access your LAN through 802.1X-configured interfaces without
authentication, you can configure a static MAC bypass list on the EX Series switch.
The static MAC bypass list, also known as the exclusion list, specifies MAC addresses
that are allowed on the switch without a request to an authentication server.
You can use static MAC bypass of authentication to allow connection for devices that
are not 802.1X-enabled, such as printers. If a host's MAC address is compared and
matched against the static MAC address list, the nonresponsive host is authenticated
and an interface opened for it.
This example describes how to configure static MAC bypass of authentication for
two printers:
Requirements
Before you configure static MAC authentication, be sure you have:
Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch
897

To permit printers access to the LAN, add them to the static MAC bypass list. The
MAC addresses on this list are permitted access without authentication from the
RADIUS server.
Figure 50 on page 899 shows the two printers connected to the EX4200.
898
Figure 50: Topology for Static MAC Authentication Configuration
The interfaces shown in Table 120 on page 900 will be configured for static MAC
authentication.
899
Table 120: Components of the Static MAC Authentication Configuration Topology

Property
Settings
Switch hardware
EX4200, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through

ge-0/0/23)
VLAN name
default
Connections to integrated printer/fax/copier machines

(no PoE required)
ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

ge-0/0/20, MAC address 00:04:ae:cd:23:5f
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface
ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected
to access interface ge-0/0/20. Both printers will be added to the static list and bypass
802.1X authentication.
Configuration
To configure static MAC authentication, perform these tasks:
To quickly configure static MAC authentication, copy the following commands and
[edit]
set protocols dot1x authenticator authenticaton-profile-name profile1
set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols dot1x interface all supplicant multiple
Configure static MAC authentication:

1.
Configure the authentication profile name (access profile name) to use for
authentication:
[edit protocols]
user@switch# set dot1x authenticator authentication-profile-name profile1
2.
Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC

addresses:
[edit protocols]
user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f]
3.
Configure the 802.1X authentication method:

[edit protocols]
user@switch# set dot1x interface all supplicant multiple
Results

user@switch> show
900
Configuration
interfaces {
ge-0/0/19 {
unit 0 {
vlan members default;
}
}
}
ge-0/0/20 {
unit 0 {
vlan members default;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name profile1
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
supplicant multiple;
}
}
}
}
}
Verification
Verifying Static MAC Bypass of Authentication on page 901
Verifying Static MAC Bypass of Authentication

Purpose
Action
Verify that the MAC address for both printers is configured and associated with the
correct interfaces.
user@switch> show dot1x static-mac-address
MAC address
00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f
Meaning
VLAN-Assignment
default
default
Interface
ge-0/0/19.0
ge-0/0/20.0
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect
to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f
can connect to the LAN through interface ge-0/0/20.0.
Verification
901
Related Topics
Configuring 802.1X Authentication (J-Web Procedure) on page 944
Example: Configuring MAC RADIUS Authentication on an EX Series Switch

To permit hosts that are not 802.1X-enabled to access the LAN, you can configure
MAC RADIUS authentication on the switch interfaces to which the non-802.1X-enabled
hosts are connected. When MAC RADIUS authentication is configured, the switch
will attempt to authenticate the host with the RADIUS server using the hosts MAC
address.
This example describes how to configure MAC RADIUS authentication for two
non-802.1X-enabled hosts:
Requirements
One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.
Before you configure MAC RADIUS authentication, be sure you have:
902
Configured basic access between the EX Series switch and the RADIUS server.
See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch
on page 883.
Performed basic 802.1X configuration. See Configuring 802.1X Interface Settings

Example: Configuring MAC RADIUS Authentication on an EX Series Switch

IEEE 802.1X Port-Based Network Access Control (PNAC) authenticates and permits
devices access to a LAN if the devices can communicate with the switch using the
802.1X protocol (are 802.1X-enabled). To permit non-802.1X-enabled hosts to access
the LAN, you can configure MAC RADIUS authentication on the interfaces to which
the hosts are connected. When the MAC address of the non-802.1X-enabled host
appears on the interface, the switch consults the RADIUS server to check whether it
is a permitted MAC address. If the MAC address of the host is configured as permitted
on the RADIUS server, the switch opens LAN access to the nonresponsive host.
You can configure both MAC RADIUS authentication and 802.1X authentication
methods on a single interface configured for multiple supplicants. Additionally, if an
interface is only connected to a non-802.1X-enabled host, you can enable MAC
RADIUS and not enable 802.1X authentication using the mac-radius restrict option,
and thus avoid the delay that occurs while the switch determines that the device is
does not respond to EAP messages.
Figure 51 on page 904 shows the two printers connected to the switch.
903
Figure 51: Topology for MAC RADIUS Authentication Configuration
Table 120 on page 900 shows the components in the example for MAC RADIUS
authentication.
Table 121: Components of the MAC RADIUS Authentication Configuration Topology
Property
Settings
Switch hardware
EX4200 ports (ge-0/0/0 through ge-0/0/23)
VLAN name
default
Connections to printers (no PoE required)
ge-0/0/19, MAC address 00040ffdacfe

ge-0/0/20, MAC address 0004aecd235f
RADIUS server
Connected to the switch on interface ge-0/0/10
904
The printer with the MAC address 00040ffdacfe is connected to access interface
ge-0/0/19. A second printer with the MAC address 0004aecd235f is connected to
access interface ge-0/0/20. In this example, both interfaces are configured for MAC
RADIUS authentication on the switch, and the MAC addresses (without colons) of
both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured
to eliminate the normal delay while the switch attempts 802.1X authentication; MAC
RADIUS authentication is enabled and 802.1X authentication is disabled using the
mac-radius restrict option.
Configuration
To configure MAC RADIUS authentication on the switch, perform these tasks:
To quickly configure MAC RADIUS authentication, copy the following commands

[edit]
set protocols dot1x authenticator interface ge-0/0/19 mac-radius
set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
NOTE: You must also configure the two MAC addresses as usernames and passwords
on the RADIUS server, as is done in step 2 of the Step-by-Step Procedure.
Configure MAC RADIUS authentication on the switch and on the RADIUS server:
1.
On the switch, configure the interfaces to which the printers are attached for
MAC RADIUS authentication, and configure interface ge-0/0/20, so that only
MAC RADIUS authentication is used:
[edit]
user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
user@switch# set protocols dot1x authenticator interface ge-0/0/20
mac-radius restrict
2.
On the RADIUS server, configure the MAC addresses 00040ffdacfe and

0004aecd235f as usernames and passwords:
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Results
Display the results of the configuration on the switch:

protocols {
dot1x {
authenticator {
Configuration
905
interface {
ge-0/0/19.0 {
mac-radius;
}
ge-0/0/20.0 {
mac-radius {
restrict;
}
}
}
}
}
}
Verification
Verify that the supplicants are authenticated:
Verifying That the Supplicants Are Authenticated on page 906
Verifying That the Supplicants Are Authenticated

Purpose
After supplicants are configured for MAC RADIUS authentication on the switch and
on the RADIUS server, verify that they are authenticated and display the method of
authentication:
Action
Display information about 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:

ge-0/0/19.0
Role: Authenticator
Supplicant mode: Single
Mac Radius: Enabled
Mac Radius Strict: Disabled
Server timeout: 30 seconds
Maximum EAPOL requests: 1
Guest VLAN member: <not configured>
Number of connected supplicants: 1
Supplicant: 00040ffdacfe, 00:04:0f:fd:ac:fe
Authentication method: MAC Radius
Authenticated VLAN: v200
ge-0/0/19.0
Role: Authenticator
906
Verification

Mac Radius: Enabled
Supplicant: 0004aecd235f, 00:04:ae:cd:23:5f
Authentication method: MAC Radius
Meaning
Related Topics
The sample output from the show dot1x interface detail command displays the MAC
address of the connected host in the Supplicant field. On interface ge-0/0/19, the
MAC address is 00:04:0f:fd:ac:fe, which is the MAC address of the first printer
configured for MAC RADIUS authentication. The Authentication method field displays
the authentication method as MAC Radius. On interface ge-0/0/20, the MAC address
is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for
MAC RADIUS authentication. The Authentication method field displays the
authentication method as MAC Radius.
Configuring MAC RADIUS Authentication (CLI Procedure) on page 948

Configurations on an EX Series Switch
802.1x Port-Based Network Access Control (PNAC) authentication on EX Series
switches provides three types of authentication to meet the access needs of your
enterprise LAN:
Authenticate the first host (supplicant) on an authenticator port, and allow all
others also connecting to have access.
Authenticate only one supplicant on an authenticator port at one time.
Authenticate multiple supplicants on an authenticator port. Multiple supplicant

mode is used in VoIP configurations.
This example configures an EX4200 switch to use IEEE 802.1X to authenticate

supplicants that use three different administrative modes:
Configuration of 802.1X to Support Multiple Supplicant Modes on page 910
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch
907
Requirements

Before you configure the ports for 802.1X authentication, be sure you have:
Installed your EX Series switch.

Configured users on the authentication server.

As shown in Figure 52 on page 909, the topology contains an EX4200 access switch
connected to the authentication server on port ge-0/0/10. Interfaces ge-0/0/8,
ge-0/0/9, and ge-0/0/11 will be configured for three different administrative modes.
908
Requirements
Figure 52: Topology for Configuring Supplicant Modes
909
Table 122: Components of the Supplicant Mode Configuration Topology

Property
Settings
Switch hardware
EX4200 switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0

through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through
ge-0/0/23)
Connections to Avaya phoneswith integrated hub, to

connect phone and desktop PC to a single port; (requires
PoE)
ge-0/0/8, ge-0/0/9, and ge-0/0/11
To configure the administrative modes to support supplicants in different areas of

the Enterprise network:
Configure access port ge-0/0/8 for single supplicant mode authentication.
Configure access port ge-0/0/9 for single secure supplicant mode authentication.
Configure access port ge-0/0/11 for multiple supplicant mode authentication.
Single supplicant mode authenticates only the first supplicant that connects to an
authenticator port. All other supplicants connecting to the authenticator port after
the first supplicant has connected successfully, whether they are 802.1X-enabled or
not, are permitted free access to the port without further authentication. If the first
authenticated supplicant logs out, all other supplicants are locked out until a supplicant
authenticates.
Single-secure supplicant mode authenticates only one supplicant to connect to an
authenticator port. No other supplicant can connect to the authenticator port until
the first supplicant logs out.
Multiple supplicant mode authenticates multiple supplicants individually on one
authenticator port. If you configure a maximum number of devices that can be
connected to a port through port security, the lesser of the configured values is used
to determine the maximum number of supplicants allowed per port.
Configuration of 802.1X to Support Multiple Supplicant Modes

To configure 802.1X authentication to support multiple supplicants, perform these
tasks:
To quickly configure the ports with different 802.1X authentication modes, copy the
[edit]
set protocols dot1x authenticator interface ge-0/0/8 supplicant single
set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple
Configure the administrative mode on the interfaces:

1.
910
Configure the supplicant mode as single on interface ge-0/0/8:
Configuration of 802.1X to Support Multiple Supplicant Modes
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single
2.
Configure the supplicant mode as single secure on interface ge-0/0/9:

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/9 supplicant
single-secure
3.
Configure multiple supplicant mode on interface ge-0/0/11:

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/11 supplicant
multiple
Results

[edit]
user@access-switch> show configuration
protocols {
dot1x {
authenticator {
interface {
ge-0/0/8.0 {
supplicant single;
)
ge-0/0/9.0 {
supplicant single-secure;
)
ge-0/0/11.0 {
)
}
}
}
}
Verification
Verifying the 802.1X Configuration on page 911
Verifying the 802.1X Configuration

Purpose
Action
Verify the 802.1X configuration on interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/5.

Verify the 802.1X configuration with the operational mode command show dot1x
interface:
Verification
911

ge-0/0/8.0
Role: Authenticator
Supplicant: user100, 00:00:00:00:22:22
ge-0/0/9.0
Role: Authenticator
Supplicant mode: Single Secure
Supplicant: user101, 00:13:00:00:28:22
ge-0/0/11.0
Role: Authenticator
Supplicant: user102, 00:10:12:e0:28:22
Meaning
Related Topics
912
The Supplicant mode output field displays the configured administrative mode for
each interface. Interface ge-0/0/8.0 displays Single supplicant mode. Interface
ge-0/0/9.0 displays Single Secure supplicant mode. Interface ge-0/0/11.0 displays
Multiple supplicant mode.

page 883


on page 919
Verifying the 802.1X Configuration

RADIUS Server Attributes on an EX Series Switch
You can use RADIUS server attributes and a port-based firewall filter to centrally
apply terms to multiple supplicants connected to an EX Series switch in your
enterprise. Terms are applied following a supplicants successful authentication
through 802.1X.
EX Series switches support port-based firewall filters. Port firewall filters are configured
on a single EX Series switch, but in order for them to operate throughout an
enterprise, they have to be configured on multiple switches. To reduce the need to
configure the same port firewall filter on multiple switches, you can instead apply
the filter centrally on the RADIUS server using RADIUS server attributes.
The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS
server. For specifics on configuring your server, consult the documentation that was
included with your RADIUS server.
This example describes how to configure a port firewall filter with terms, create
counters to count packets for the supplicants, apply the filter to user profiles on the
RADIUS server, and display the counters to verify the configuration:
Configuring the Port Firewall Filter and Counters on page 916
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS
Server on page 917
Requirements
Configured 802.1X authentication on the switch, with the authentication mode

for interface ge-0/0/2 set to multiple. See Configuring 802.1X Interface Settings
(CLI Procedure) on page 943 and Example: Setting Up 802.1X for Single
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch
913
Supplicant or Multiple Supplicant Configurations on an EX Series Switch on

page 907.
Configured users on the RADIUS authentication server (in this example, the user
profiles for Supplicant 1 and Supplicant 2 in the topology are modified on the
RADIUS server).

When the 802.1X configuration on an interface is set to multiple supplicant mode,
you can apply a single port firewall filter configured through the JUNOS CLI on the
EX Series switch to any number of users (supplicants) on one interface by adding
the filter centrally to the RADIUS server. Only a single filter can be applied to an
interface; however, the filter can contain multiple terms for separate supplicants.
For more information about firewall filters, see Firewall Filters for EX Series Switches
RADIUS server attributes are applied to supplicants after the supplicants are
successfully authenticated using 802.1X. To authenticate the supplicants, the switch
forwards a supplicants credentials to the RADIUS server. The RADIUS server matches
the credentials forwarded by the switch against preconfigured information about the
supplicant located in the supplicants user profile on the RADIUS server. If a match
is made, the RADIUS server instructs the switch to open an interface to the supplicant.
Traffic then flows from and to the supplicant on the LAN. Further instructions
configured in the port firewall filter and added to the supplicants user profile using
a RADIUS server attribute further define the access that the supplicant is granted.
Filtering terms configured in the port firewall filter are applied to the supplicant after
802.1X authentication is complete.
Figure 53 on page 915 shows the topology used for this example. The RADIUS server
is connected to the EX4200 switch on access port ge-0/0/10. Two supplicants are
accessing the LAN on interface ge-0/0/2. Supplicant 1 has a MAC address of
00:50:8b:6f:60:3a. Supplicant 2 has a MAC address of 00:50:8b:6f:60:3b.
914
Figure 53: Topology for Firewall Filter and RADIUS Server Attributes Configuration
Table 117 on page 886 describes the components in this topology.

Table 123: Components of the Firewall Filter and RADIUS Server Attributes Topology
Property
Settings
Switch hardware
EX4200 access switch, 24 Gigabit Ethernet ports, 8 PoE ports.
One RADIUS server
Backend database with an address of 10.0.0.100 connected to the switch

at port ge-0/0/10.
802.1X supplicants connected to the switch on

interface ge-0/0/2
Supplicant 1 has MAC address 00:50:8b:6f:60:3a.
Supplicant 2 has MAC address 00:50:8b:6f:60:3b.
915
Table 123: Components of the Firewall Filter and RADIUS Server Attributes Topology (continued)
Port firewall filter to be applied on the RADIUS
server
filter1
Counters
counter1 counts packets from Supplicant 1, and counter2 counts packets
from Supplicant 2.
User profiles on the RADIUS server
Supplicant 1 has the user profile supplicant1.
Supplicant 2 has the user profile supplicant2.
In this example, you configure a port firewall filter named filter1. The filter contains
terms that will be applied to the supplicants based on the MAC addresses of the
supplicants. When you configure the filter, you also configure the counters called
counter1 and counter2. Packets from each supplicant will be counted, helping you
verify that the configuration is working. Then, you check to see that the RADIUS
server attribute is available on the RADIUS server and apply the filter to the user
profiles of each supplicant on the RADIUS server. Finally, you verify the configuration
by displaying output for the two counters.

(AAA) services, see the JUNOS Software System Basics Configuration Guide at
Configuring the Port Firewall Filter and Counters

Configure a port firewall filter and counters:
To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant
2 and create parallel counters for each supplicant, copy the following commands
[edit]
set firewall family ethernet-switching filter filter1 term supplicant1 from
source-mac-address 00:50:8b:6f:60:3a
set firewall family ethernet-switching filter filter1 term supplicant2 from
source-mac-address 00:50:8b:6f:60:3b
set firewall family ethernet-switching filter filter1 term supplicant1 then count
counter1
set firewall family ethernet-switching filter filter1 term supplicant2 then count
counter2
To configure a port firewall filter and counters on the switch:

1.
Configure a port firewall filter (here, filter1) with terms for each supplicant based
upon the MAC address of each supplicant:
[edit firewall family ethernet-switching]
user@switch# set filter filter1 term supplicant1 from source-mac-address
00:50:8b:6f:60:3a
916
Configuring the Port Firewall Filter and Counters
user@switch# set filter filter1 term supplicant2 from source-mac-address

00:50:8b:6f:60:3b
2.
Create two counters that will count packets for each supplicant:
user@switch# set filter filter1 term supplicant1 then count counter1
user@switch# set filter filter1 term supplicant2 then count counter2
Results

firewall {
filter filter1 {
term supplicant1 {
from {
source-mac-address {
00:50:8b:6f:60:3a;
}
}
then count counter1;
}
term supplicant2 {
from {
source-mac-address {
00:50:8b:6f:60:3b;
}
}
}
}
}
}
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server
Verify that the RADIUS server attribute needed to apply a filter on the RADIUS server
is on the server and apply the port firewall filter to each supplicants user profile on
the RADIUS server:
To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to
apply the filter to the user profiles:
1.
Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that
the attribute Filter-ID is in the dictionary:
[root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server
917
2.
Close the dictionary file.
3.
Display the local user profiles of the supplicants to which you want to apply the
filter (here, the user profiles are called supplicant1 and supplicant2):
[root@freeradius]# cat /usr/local/etc/raddb/users
The output shows:

supplicant1 Auth-Type := EAP, User-Password == "supplicant1"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "1005"
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "1005"
4.
Apply the filter to both user profiles by adding the line Filter-Id = filter1 to each
profile, and then close the file:
[root@freeradius]# cat /usr/local/etc/raddb/users
After you paste the line into the files, the files look like this:
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "1005",
Filter-Id = "filter1"
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "1005",
Verification
Verify that the filter has been applied to the supplicants:
Verifying That the Filter Has Been Applied to the Supplicants on page 918
Verifying That the Filter Has Been Applied to the Supplicants

Purpose
Action
918
Verification
After supplicants are authenticated, verify that the filter configured on the switch
and added to each supplicants user profile on the RADIUS server has been applied:
Display information about firewall filter filter1:
user@switch> show firewall filter filter1

Filter: filter1
Counters:
Name
counter1
counter2
Meaning
Related Topics
Bytes
128
64
Packets
2
1
The output of the command show firewall filter filter1 displays counter1 and counter2.
Packets from Supplicant 1 are counted using counter1, and packets from Supplicant 2
are counted using counter2. The output from the command displays packets
incrementing for both counters. The filter has been applied to both supplicants.


You can configure voice over IP (VoIP) on an EX Series switch to support IP
telephones. The Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED)
protocol forwards VoIP parameters from the switch to the phone. You also configure
802.1X authentication to allow the telephone access to the LAN. Authentication is
done through a backend RADIUS server.
This example describes how to configure VoIP on an EX Series switch to support an
Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication:
Requirements
interfaces on the authenticator PAE form a control gate that blocks all traffic to
An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X
919
Before you configure VoIP, be sure you have:

EX4200 Switch.

Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX Series
Switch on page 883.
(Optional) Configured interface ge-0/0/2 for Power over Ethernet (PoE). The PoE
configuration is not necessary if the VoIP supplicant is using a power adapter.
For information about configuring PoE, see Configuring PoE (CLI Procedure)
on page 1479.
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges
LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure
the voip statement on the interface to designate the interface as a VoIP interface and
allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the
IP telephone. The IP telephone then uses the voice VLAN (that is, it references the
voice VLANs ID) to send a DHCP discover request and exchange information with
the DHCP server (voice gateway).

Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX4200 switch is connected
to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you
to connect a desktop PC to the phone, so the desktop and phone in a single office
require only one interface on the switch. The EX Series switch is connected to a
RADIUS server on interface ge-0/0/10 (see Figure 54 on page 921).
920
Figure 54: VoIP Topology
In this example, you configure VoIP parameters and specify the forwarding class
assured-forward for voice traffic to provide the highest quality of service.
Table 124 on page 921 describes the components used in this VoIP configuration
example.
Table 124: Components of the VoIP Configuration Topology
Property
Settings
921
Table 124: Components of the VoIP Configuration Topology (continued)

Switch hardware
EX4200 switch
VLAN names
data-vlan
voice-vlan
Connection to Avaya phonewith integrated hub, to connect phone

and desktop PC to a single interface (requires PoE)
ge-0/0/2
One RADIUS server
Provides backend database connected to the switch

through interface ge-0/0/10.
As well as configuring a VoIP for interface ge-0/0/2, you configure:
802.1X authentication. Authentication is set to multiple supplicant to support

more than one supplicant's access to the LAN through interface ge-0/0/2.
LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP

parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged
and prioritized with the correct values at the source itself. For example, 802.1p
class of service and 802.1Q tag information can be sent to the IP telephone.
NOTE: A PoE configuration is not necessary if an IP telephone is using a power

adapter.
Configuration
To configure VoIP, LLDP-MED, and 802.1X authentication:
To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands
[edit]
set vlans data-vlan vlan-id 77
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
922
Configuration
To configure VoIP with LLDP-MED and 802.1X:

1.
Configure the VLANs for voice and data:

[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99
2.
Associate the VLAN data-vlan with the interface:

[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0
3.
Configure the interface as an access interface, configure support for Ethernet

switching, and add the data-vlan VLAN:
[edit interfaces]
data-vlan
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
4.
Configure VoIP on the interface and specify the assured-forwarding forwarding

class to provide the most dependable class of service:
[edit ethernetswitchingoptions]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
5.
Configure LLDP-MED protocol support:

[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0
6.
To authenticate an IP phone and a PC connected to the IP phone on the interface,

configure 802.1X authentication support and specify multiple supplicant mode:
NOTE: If you do not want to authenticate any device, skip the 802.1X configuration
on this interface.
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {
Configuration
923
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}
Verification
Verifying LLDP-MED Configuration on page 924
Verifying 802.1X Authentication for IP Phone and Desktop PC on page 925
Verifying the VLAN Association with the Interface on page 926
Verifying LLDP-MED Configuration

Purpose
924
Verification
Verify that LLDP-MED is enabled on the interface.
Action
user@switch> show lldp detail

LLDP
: Enabled
Advertisement interval : 30 Second(s)
Transmit delay
: 2 Second(s)
Hold timer
: 2 Second(s)
Config Trap Interval
: 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED
MED fast start count
Interface
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/23.0
LLDP
Enabled
VLAN-id
0
0
0
99
0
0
0
20
0
: Enabled
: 3 Packet(s)
LLDP-MED
Enabled
Neighbor count
0
0
VLAN-name
default
employee-vlan
data-vlan
voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
default
LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Verifying 802.1X Authentication for IP Phone and Desktop PC

Purpose
Action
Display the 802.1X configuration to confirm that the VoIP interface has access to
the LAN.
user@switch> show dot1x interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Verifying 802.1X Authentication for IP Phone and Desktop PC
925

Supplicant: abc, 00:00:00:00:22:22
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.
Verifying the VLAN Association with the Interface

Purpose
Action
Display the interface state and VLAN membership.

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked
Meaning
Related Topics
The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

page 883

Defining CoS Forwarding Classes (CLI Procedure) on page 1398
Defining CoS Forwarding Classes (J-Web Procedure) on page 1398

Authentication
telephones.
926
To configure VoIP on an EX Series switch to support an IP phone that does not support
802.1X authentication, you must either add the MAC address of the phone to the
static MAC bypass list or enable MAC RADIUS authentication on the switch.
This example describes how to configure VoIP on an EX Series switch without 802.1X
authentication using static MAC bypass of authentication:
Overview on page 927
Requirements
An IP telephone

EX4200 Switch.

Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX Series
Switch on page 883.
For information about configuring PoE, see Configuring PoE (CLI Procedure)
on page 1479.
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges
LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure
the voip statement on the interface to designate the interface as a VoIP interface and
allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the
IP telephone. The IP telephone then uses the voice VLAN (that is, it references the
voice VLANs ID) to send a DHCP discover request and exchange information with
the DHCP server (voice gateway).
Overview
Requirements
927
In this example, the access interface ge-0/0/2 on the EX4200 switch is connected
to a non-802.1X IP phone.
802.1X authentication, add the MAC address of the phone as a static entry in the
authenticator database and set the supplicant mode to multiple.
Configuration
To configure VoIP without 802.1X authentication:
To quickly configure VoIP, copy the following commands and paste them into the
[edit]
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
assured-forwarding
set protocols dot1x authenticator authentication-profile-name auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
To configure VoIP without 802.1X:

1.
Configure the VLANs for voice and data:

[edit vlans]
2.
Associate the VLAN data-vlan with the interface:

[edit vlans]
3.
Configure the interface as an access interface, configure support for Ethernet

switching, and add the data-vlan VLAN:
[edit interfaces]
data-vlan
4.
928
Configuration

5.
Configure LLDP-MED protocol support:

[edit protocols]
6.
Set the authentication profile (see Configuring 802.1X Interface Settings (CLI
Procedure) on page 943 and Configuring 802.1X RADIUS Accounting (CLI
Procedure) on page 952):
[edit protocols]
set dot1x authenticator authentication-profile-name auth-profile
7.
Add the MAC address of the phone to the static MAC bypass list:
[edit protocols]
set dot1x authenticator static 00:04:f2:11:aa:a7
8.
Set the supplicant mode to multiple:

[edit protocols]
set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results

[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
}
dot1x {
authenticator {
authentication-profile-name auth-profile;
static {
00:04:f2:11:aa:a7;
Configuration
929
}
}
interface {
ge-0/0/2.0 {
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
voip {
vlan voice-vlan;
}
}
}
Verification
Verifying LLDP-MED Configuration on page 930
Verifying Authentication for the Desktop PC on page 931
Verifying LLDP-MED Configuration

Purpose
Action
Verify that LLDP-MED is enabled on the interface.

LLDP
: Enabled
Advertisement interval : 30 Second(s)
Transmit delay
: 2 Second(s)
Hold timer
: 2 Second(s)
Config Trap Interval
: 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED
MED fast start count
Interface
930
Verification
LLDP
: Enabled
: 3 Packet(s)
LLDP-MED
Neighbor count
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/23.0
Enabled
VLAN-id
0
0
0
99
0
0
0
20
0
Enabled
0
0
VLAN-name
default
employee-vlan
data-vlan
voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
default
LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Verifying Authentication for the Desktop PC

Purpose
Action
Meaning
Display the 802.1X configuration for the desktop PC connected to the VoIP interface
through the IP phone.
user@switch> show dot1x interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Supplicant: abc, 00:00:00:00:22:22
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
Verifying Authentication for the Desktop PC
931
addresses of the supplicants currently connected are displayed at the bottom of the
output.

Purpose
Action

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked
Meaning
Related Topics

on page 919

Support on page 932

877

Support
telephones. The Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED)
protocol is sometimes used with IP phones to forward VoIP parameters from the
switch to the phone. Not all IP phones support LLDP-MED, however.
This example describes how to configure VoIP on an EX Series switch without
LLDP-MED and without 802.1X:
932
Requirements
One EX4200 switch acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to
A IP phone that does not support LLDP-MED.
Configured the IP phone as a member of the voice VLAN.
See Configuring PoE (CLI Procedure) on page 1479.
Overview
LLDP-MED, add the port to which you want to connect the IP phone as a member
of the voice VLAN and configure the data VLAN as the native VLAN on the EX Series
switch. This configuration ensures that the voice traffic and data traffic do not affect
each other.
In this example, the interface ge-0/0/2 on the EX4200 switch is connected to a
non-LLDP-MED IP phone.
NOTE: The implementation of a voice VLAN on an IP telephone is vendor-specific.

Consult the documentation that came with your IP telephone for instructions on
configuring a voice VLAN. For example, on an Avaya phone, you can ensure that the
phone gets the correct VoIP VLAN ID even in the absence of LLDP-MED by enabling
DHCP option 176.
Configuration
To configure VoIP without LLDP-MED or 802.1X authentication:
To quickly configure VoIP, copy the following commands and paste them into the
Requirements
933
[edit]
assured-forwarding
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
Configure VoIP:
1.
Configure the VLANs for data and voice:

[edit vlans]
2.
Configure the VLAN data-vlan on the interface:

[edit vlans]
3.

4.
Add the interface as a member of the voice VLAN:

[edit interfaces]
set ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
5.
Configure data-vlan as native to this trunk interface:

[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching native-vlan-id
data-vlan
Results

[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode trunk;
vlan {
members voice-vlan;
}
934
Configuration
native-vlan-id data-vlan;
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
voip {
vlan voice-vlan;
}
}
}
Verification
To confirm that the configuration is working properly, perform the following task:
Verifying the VLAN Association With the Interface on page 935
Verifying the VLAN Association With the Interface

Purpose
Action

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked
Meaning
Verification
935
Related Topics

on page 919


877
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled

for 802.1X or MAC RADIUS Authentication
On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X
or MAC RADIUS authentication are dynamically combined with the per-user policies
sent to the switch from the RADIUS server. The switch uses internal logic to
dynamically combine the interface firewall filter with the user policies from the
RADIUS server and create an individualized policy for each of the multiple users or
nonresponsive hosts that are authenticated on the interface.
This example describes how dynamic firewall filters are created for multiple
supplicants on an 802.1X-enabled interface (the same principles shown in this
example apply to interfaces enabled for MAC RADIUS authentication):
Requirements
Before you apply firewall filters to an interface for use with multiple supplicants, be
sure you have:
936
Configured 802.1X authentication on the switch, with the authentication mode

for interface ge-0/0/2 set to multiple. See Configuring 802.1X Interface Settings
(CLI Procedure) on page 943 and Example: Setting Up 802.1X for Single
Supplicant or Multiple Supplicant Configurations on an EX Series Switch on
page 907.
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
Configured users on the RADIUS authentication server.

When the 802.1X configuration on an interface is set to multiple supplicant mode,
the system dynamically combines interface firewall filter with the user policies sent
to the switch from the RADIUS server during authentication and creates separate
terms for each user. Because there are separate terms for each user authenticated
on the interface, you can, as shown in this example, use counters to view the activities
of individual users that are authenticated on the same interface.
NOTE: Policers are not supported in the terms of dynamic firewall filters for multiple
supplicants on 802.1X-enabled interfaces.
When a new user (or an nonresponsive host) is authenticated on an interface, the
system adds a term to the firewall filter associated with the interface, and the term
(policy) for each user is associated with the MAC address of the user. The term for
each user is based on the user-specific filters set on the RADIUS server and the filters
configured on the interface. For example, as shown in Figure 55 on page 937, when
User1 is authenticated by the EX Series switch, the system creates the firewall filter
dynamic-filter-example. When User2 is authenticated, another term is added to the
firewall filter, and so on.
Figure 55: Conceptual Model: Dynamic Filter Updated for Each New User
This is a conceptual model of the internal processyou cannot access or view the
dynamic filter.
937
NOTE: If the firewall filter on the interface is modified after the user (or nonresponsive
host) is authenticated, the modifications are not reflected in the dynamic filter unless
the user is reauthenticated.
In this example, you configure a firewall filter to count the requests made by each
endpoint authenticated on interface ge-0/0/2 to the file server, which is located on
subnet 192.0.2.16/28. Figure 56 on page 938 shows the network topology for this
example.
Figure 56: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File
Server
Configuration
To configure firewall filters for multiple supplicants on 802.1X-enabled interfaces:
Configuring Firewall Filters on Interfaces with Multiple Supplicants on page 938
Configuring Firewall Filters on Interfaces with Multiple Supplicants

To quickly configure firewall filters on an interface enabled for multiple supplicants,

copy the following commands and paste them into the switch terminal window:
[edit]
938
Configuration
set protocols dot1x

set firewall family
destination-address
set firewall family
counter1
authenticator interface ge-0/0/2 supplicant multiple

ethernet-switching filter filter1 term term1 from
192.0.2.16/28
ethernet-switching filter filter1 term term1 then count
To configure firewall filters on an interface enabled for multiple supplicants:

1.
Configure interface ge-0/0/2 for multiple supplicant mode authentication:

[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/2 supplicant multiple
2.
Configure a firewall filter to count packets from each user. As each new user is
authenticated on this multiple supplicant interface, this filter term will be included
in the dynamically created term for the user:
user@switch# set filter filter1 term term1 from destination-address
192.0.2.16/28
user@switch# set filter filter1 term term1 then count counter1
Results

firewall {
filter filter1 {
term term1 {
from {
destination-address {
192.0.2.16/28;
}
}
}
}
}
}
protocols {
dot1x {
authenticator
}
}
}
Configuring Firewall Filters on Interfaces with Multiple Supplicants
939
Verification
Verifying Firewall Filters on Interfaces with Multiple Supplicants on page 940
Verifying Firewall Filters on Interfaces with Multiple Supplicants

Purpose
Action
Verify that firewall filters are functioning on the interface with multiple supplicants.
1.
Check the results with one user authenticated on the interface. In this case, the
user is authenticated on ge-0/0/2:
user@switch> show dot1x firewall
Filter: dot1x_ge-0/0/2
Counters
counter1_dot1x_ge-0/0/2_user1 100
2.
When a second user, User2, is authenticated on the same interface, ge-0/0/2,

you can verify that the filter includes the results for both of the users authenticated
on the interface:
user@switch>
show dot1x firewall
Filter: dot1x-filter-ge-0/0/0
Counters
Meaning
Related Topics
940
Verification
The results displayed by the show dot1x firewall output reflect the dynamic filter
created with the authentication of each new user. User1 accessed the file server
located at the specified destination address 100 times, while User2 accessed the
same file server 400 times.

Chapter 51
Specifying RADIUS Server Connections on an EX Series Switch (CLI

Configuring LLDP (J-Web Procedure) on page 958
VSA Match Conditions and Actions for EX Series Switches on page 960
941
Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure)

IEEE 802.1X and MAC RADIUS authentication both provide network edge security,
protecting Ethernet LANs from unauthorized user access by blocking all traffic to
and from devices at the interface until the supplicant's credentials or MAC address
are presented and matched on the authentication server (a RADIUS server). When
the supplicant is authenticated, the switch stops blocking access and opens the
interface to the supplicant.
To use 802.1X or MAC RADIUS authentication, you must specify the connections on
the switch for each RADIUS server to which you will connect.
To configure a RADIUS server on the switch:
1.
Define the IP address of the RADIUS server, the RADIUS server authentication
port number, and the secret password. You can define more than one RADIUS
server. The secret password on the switch must match the secret password on
the server:
[edit access]
user@switch# set radius-server 10.0.0.100 port 1812 secret abc
NOTE: Specifying the authentication port is optional, and port 1812 is the default.
However, we recommend that you configure it in order to avoid confusion as some
RADIUS servers might refer to an older default.
2.
(Optional) Specify the IP address by which the switch is identified by the RADIUS
server. If you do not specify this, the RADIUS server uses the address of the
interface sending the RADIUS request. We recommend that you specify this IP
address because if the request gets diverted on an alternate route to the RADIUS
server, the interface relaying the request might not be an interface on the switch.
[edit access]
user@switch# set access radius-erver source-address 10.93.14.100
3.
Configure the authentication order, making radius the first method of

authentication:
[edit access]
user@switch# set profile profile1 authentication-order radius
4.
Create a profile and specify the list of RADIUS servers to be associated with the
profile. For example, you might choose to group your RADIUS servers
geographically by city. This feature enables easy modification whenever you
want to change to a different sent of authentication servers.
user@switch# set atlanta radius authentication-server 10.0.0.100 10.2.14.200
942
Chapter 51: Configuring Access Control
5.
Specify the group of servers to be used for 802.1X or MAC RADIUS authentication
by identifying the profile name:
user@switch# set protocols dot1x authenticator authentication-profile-name
denver
Related Topics
6.
Configure the IP address of the EX Series switch in the list of clients on the
RADIUS server. For specifics on configuring the RADIUS server, consult the
documentation for your server.
Configuring 802.1X Interface Settings (CLI Procedure)

IEEE 802.1X authentication provides network edge security, protecting Ethernet
LANs from unauthorized user access by blocking all traffic to and from a supplicant
(client) at the interface until the supplicant's credentials are presented and matched
on the authentication server (a RADIUS server). When the supplicant is authenticated,
the switch stops blocking access and opens the interface to the supplicant.
NOTE: You can also specify an 802.1X exclusion list to specify supplicants can that
can bypass authentication and be automatically connected to the LAN. See
Configuring Static MAC Bypass of Authentication (CLI Procedure) on page 947.
Before you begin, specify the RADIUS server or servers to be used as the
authentication server. See Specifying RADIUS Server Connections on an EX Series
Switch (CLI Procedure) on page 942.
To configure 802.1X on an interface:
1.
Configure the supplicant mode as single (authenticates the first supplicant),

single-secure (authenticates only one supplicant), or multiple (authenticates
multiple supplicants):
user@switch# set authenticator interface ge-0/0/5 supplicant multiple
2.
Enable reauthentication and specify the reauthentication interval:

user@switch# set authenticator interface ge-0/0/5/0 reauthentication interval
5
3.
Configure the interface timeout value for the response from the supplicant:
Configuring 802.1X Interface Settings (CLI Procedure)
943

user@switch# set authenticator interface ge-0/0/5 supplicant-timeout 5
4.
Configure the timeout for the interface before it resends an authentication request
to the RADIUS server:
user@switch# set authenticator interface ge-0/0/5 server-timeout 5
5.
Configure how long, in seconds, the interface waits before retransmitting the
initial EAPOL PDUs to the supplicant:
user@switch# set authenticator interface ge-0/0/5 transmit-period 60
6.
Configure the maximum number of times an EAPOL request packet is

retransmitted to the supplicant before the authentication session times out:
user@switch# set authenticator interface ge-0/0/5 maximum-requests 5
Related Topics

on page 919
Monitoring 802.1X Authentication on page 963
Verifying 802.1X Authentication on page 964
Configuring 802.1X Authentication (J-Web Procedure)

To configure 802.1X settings using the J-Web interface:
1.
From the Configure menu, select Security > 802.1X.

The 802.1X screen displays a list of interfaces, whether 802.1X security has been
enabled, and the assigned port role.
When you select a particular interface, the Details section displays 802.1X details
for the selected interface.
2.
944
Click one:
RADIUS ServersSpecifies the RADIUS server to be used for authentication.

Select the check box to select the required server. Click Add or Edit to add
or modify the RADIUS server settings. Enter information as specified in Table
125 on page 945.
Exclusion ListExcludes hosts from the 802.1X authentication list by

specifying the MAC address. Click Add or Edit in the Exclusion list screen to
include or modify the MAC addresses. Enter information as specified in Table
126 on page 945.
EditSpecifies 802.1X settings for the selected interface
Apply 802.1X ProfileApplies a pre-defined 802.1X profile based on

the port role. If a message appears asking if you want to configure a
RADIUS server, click Yes.
802.1X ConfigurationConfigures custom 802.1X settings for the

selected interface. If a message appears asking if you want to configure
a RADIUS server, click Yes. Enter information as specified in Table 125
on page 945. To configure 802.1X settings, enter information as specified
DeleteDeletes 802.1X authentication configuration on the selected interface.
Table 125: RADIUS Server Settings

Field
Function
Your Action
IP Address
Specifies the IP address of the server.
Enter the IP address in dotted decimal

notation.
Password
Specifies the login password.
Enter the password.
Confirm Password
Verifies the login password for the server.
Reenter the password.
Server Port Number
Specifies the port with which the server is associated.
Type the port number.
Source Address
Specifies the source address of the switch using which

the switch can communicate with the server.
Type the IP address in dotted decimal

notation.
Retry Attempts
Specifies the number of login retries allowed after a

login failure.
Type the number.
Timeout
Specifies the time interval to wait before the connection

to the server is closed.
Type the interval in seconds.
Table 126: 802.1X Exclusion List

Field
Function
Your Action
MAC Address
Specifies the MAC address to be excluded from

802.1X authentication.
Enter the MAC address.
945
Table 126: 802.1X Exclusion List (continued)

Field
Function
Your Action
Exclude if connected
through the port
Specifies that the host can bypass authentication

if it is connected through a particular interface.
Select to enable the option. Select the port

through which the host is connected.
Move the host to the VLAN
Specifies moving the host to a specific VLAN once

the host is authenticated.
Select to enable the option. Select the

VLAN from the list.
Table 127: 802.1X Port Settings

Field
Function
Your Action
Specifies the mode to be adopted for supplicants:
Select the required mode.
Supplicant Mode
Supplicant Mode
Single allows only one host for

authentication.
Multiple allows multiple hosts for

authentication. Each host is checked before
being admitted to the network.
Single authentication for multiple hosts

Allows multiple hosts but only the first is
authenticated.
Authentication
Enable
re-authentication
Specifies enabling reauthentication on the

selected interface.
1.
Select to enable reauthentication.
2.
Enter the timeout for reauthentication in

seconds.
Action on
authentication
failure
Specifies the action to be taken in case of an

authentication failure.
Select one:
Timeouts
Specifies timeout values for each action.
Related Topics
946
Move to the Guest VLAN Select the VLAN

to move the interface to.
Deny the host is not permitted access.
Enter the value in seconds for:
Port waiting time after an authentication

failure
EAPOL re-transmitting interval
Max. EAPOL requests
Maximum number of retries
Port timeout value for the response from the

supplicant
Port timeout value for the response from the

RADIUS server

Configuring Static MAC Bypass of Authentication (CLI Procedure)

You can configure a static MAC bypass list (sometimes called the exclusion list) on
the switch to specify MAC addresses of devices allowed access to the LAN without
802.1X or MAC RADIUS authentication requests to the RADIUS server.
To configure the static MAC bypass list:
Specify a MAC address to bypass authentication:

user@switch# set authenticator static 00:04:0f:fd:ac:fe
Configure a supplicant to bypass authentication if connected through a particular

interface:
user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
You can configure a supplicant to be moved to a specific VLAN after it is

authenticated:
user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
vlan-assignment default-vlan
Related Topics

Switch on page 897
Configuring Static MAC Bypass of Authentication (CLI Procedure)
947
Configuring MAC RADIUS Authentication (CLI Procedure)

You can permit devices that are not 802.1X-enabled LAN access by configuring MAC
RADIUS authentication on the EX Series switch interfaces to which the hosts are
connected.
NOTE: You can also allow non-802.1X-enabled devices to access the LAN by
configuring their MAC address for static MAC bypass of authentication.
You can configure MAC RADIUS authentication on an interface that also allows 802.1X
authentication, or you can configure either authentication method alone.
If both MAC RADIUS and 802.1X authentication are enabled on the interface, the
switch first sends the host three EAPOL requests to the host. If there is no response
from the host, the switch sends the hosts MAC address to the RADIUS server to
check whether it is a permitted MAC address. If the MAC address is configured as
permitted on the RADIUS server, the RADIUS server sends a message to the switch
that the MAC address is a permitted address, and the switch opens LAN access to
the nonresponsive host on the interface to which it is connected.
If MAC RADIUS authentication is configured on the interface but 802.1X authentication
is not (by using the mac-radius restrict option), the switch attempts to authenticate
the MAC address with the RADIUS server without delaying by attempting 802.1X
authentication first.
Before you configure MAC RADIUS authentication, be sure you have:
948
Configured basic access between the EX Series switch and the RADIUS server.
See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch
on page 883.
To configure MAC RADIUS authentication using the CLI:
On the switch, configure the interfaces to which the nonresponsive hosts are
attached for MAC RADIUS authentication, and add the restrict qualifier for
interface ge-0/0/20 to have it use only MAC RADIUS authentication:
[edit]
user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
user@switch# set protocols dot1x authenticator interface ge-0/0/20
mac-radius restrict
On a RADIUS authentication server, create user profiles for each nonresponsive

host using the MAC address (without colons) of the nonresponsive host as the
username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and
00:04:ae:cd:23:5f):
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Related Topics

page 902
949
Configuring Server Fail Fallback (CLI Procedure)

Server fail fallback allows you to specify how 802.1X supplicants connected to the
switch are supported if the RADIUS authentication server becomes unavailable or
sends an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject
message.
802.1X user authentication works by using an authenticator port access entity (the
EX Series switch) to block all traffic to and from a supplicant (client) at the interface
until the supplicant's credentials are presented and matched on the authentication
server (a RADIUS server). When the supplicant has been authenticated, the switch
stops blocking and opens the interface to the supplicant.
When you set up 802.1X authentication on the switch, you specify a primary
authentication server and one or more backup authentication servers. If the primary
authentication server cannot be reached by the switch and the secondary
authentication servers are also unreachable, a RADIUS server timeout occurs. Since
the authentication server grants or denies access to the supplicants awaiting
authentication, the switch does not receive access instructions for supplicants
attempting access to the LAN and normal 802.1X authentication cannot be completed.
Server fail fallback allows you to configure authentication alternatives that permit
the switch to take appropriate actions towards supplicants awaiting authentication
or reauthentication.
950
To configure basic server fail fallback options using the CLI:
Configure an interface to allow traffic to flow from a supplicant to the LAN if a

RADIUS server timeout occurs (as if the supplicant had been successfully
authenticated by a RADIUS server):
user@switch# set interface ge-0/0/1 server-fail permit
Configure an interface to prevent traffic flow from a supplicant to the LAN (as if
the supplicant had failed authentication and had been rejected by the RADIUS
server):
user@switch# set interface ge-0/0/1 server-fail deny
Configure an interface to move a supplicant to a specified VLAN if a RADIUS

server timeout occurs (in this case, the VLAN name is vlan1):
user@switch# set interface ge-0/0/1 server-fail vlan-name vlan1
Configure an interface to recognize already connected supplicants as

reauthenticated if there is a RADIUS timeout during reauthentication (new users
will be denied access):
user@switch# set interface ge-0/0/1 server-fail use-cache
Configure an interface that receives an EAPOL Access-Reject message from the

authentication server to move supplicants attempting LAN access on the interface
to a specified VLAN already configured on the switch (in this case, the VLAN
name is vlan-sf):
user@switch# set interface ge-0/0/1 server-reject-vlan vlan-sf
Related Topics


951
Configuring 802.1X RADIUS Accounting (CLI Procedure)

RADIUS accounting permits statistical data about users logging onto or off a LAN to
be collected and sent to a RADIUS accounting server. The statistical data gathered
can be used for general network monitoring, to analyze and track usage patterns, or
to bill a user based upon the amount of time or type of services accessed.
To configure basic RADIUS accounting using the CLI:
1.
Specify the accounting servers to which the switch will forward accounting
statistics:
[edit access]
user@switch# set profile profile1 radius accounting-server [122.69.1.250
122.69.1.252]
2.
Define the RADIUS accounting servers:

[edit access]
user@switch# set radius-server 122.69.1.250 secret juniper
user@switch# set radius-server 122.69.1.252 secret juniper1
3.
Enable accounting for an access profile:

[edit access]
user@switch# set profile profile1 accounting
4.
Configure the RADIUS servers to use while sending accounting messages and
updates:
[edit access]
user@switch# set profile profile1 accounting order radius none
5.
Configure the statistics to be collected on the switch and forwarded to the

accounting server:
[edit access]
user@switch# set profile profile1 accounting order accounting-stop-on-access-deny
user@switch# set profile profile1 accounting order accounting-stop-on-failure
6.
Display accounting statistics collected on the switch:

user@switch> show network-access aaa statistics accounting
Accounting module statistics
Requests received: 1
Accounting Response failures: 0
952
Configuring 802.1X RADIUS Accounting (CLI Procedure)
Accounting Response Success: 1

Requests timedout: 0
7.
Open an accounting log on the RADIUS accounting server using the server's
address, and view accounting statistics:
[root@freeradius]# cd /usr/local/var/log/radius/radacct/122.69.1.250
[root@freeradius 122.69.1.250]# ls
detail-20071214
[root@freeradius 122.69.1.250]# vi details-20071214
User-Name = "000347e1bab9"
NAS-Port = 67
Acct-Status-Type = Stop
Acct-Session-Id = "8O2.1x811912"
Acct-Input-Octets = 17454
Acct-Output-Octets = 4245
Acct-Session-Time = 1221041249
Acct-Input-Packets = 72
Acct-Output-Packets = 53
Acct-Terminate-Cause = Lost-Carrier
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Called-Station-Id = "00-19-e2-50-52-60"
Calling-Station-Id = "00-03-47-e1-ba-b9"
Event-Timestamp = "Sep 10 2008 16:52:39 PDT"
NAS-Identifier = "esp48t-1b-01"
NAS-Port-Type = Virtual
User-Name = "000347e1bab9"
NAS-Port = 67
Acct-Status-Type = Start
Acct-Session-Id = "8O2.1x811219"
Called-Station-Id = "00-19-e2-50-52-60"
Calling-Station-Id = "00-03-47-e1-ba-b9"
Event-Timestamp = "Sep 10 2008 18:58:52 PDT"
NAS-Identifier = "esp48t-1b-01"
NAS-Port-Type = Virtual
Related Topics

page 883

876
Filtering 802.1X Supplicants Using RADIUS Server Attributes

There are two ways to configure the RADIUS server with port firewall filters:
Include a match statement and corresponding action in the Juniper-Firewall-Filter

attribute. The Juniper-Firewall-Filter attribute is a vendor-specific attribute (VSA)
Filtering 802.1X Supplicants Using RADIUS Server Attributes
953
in the Juniper dictionary on the RADIUS server. Use this attribute to configure
simple filter conditions for authenticated users. Nothing needs to be configured
on the switch; all of the configuration is on the RADIUS server.
Apply a local firewall filter to users authenticated through the RADIUS server.
Use this method for more complex filters. The firewall filter must be configured
on each switch.
This example describes using FreeRADIUS software to configure VSAs. For specifics
on configuring your server, consult the AAA documentation that was included with
your server.
This topic includes the following tasks:
1. Configuring Match Statements on the RADIUS Server on page 954
2. Applying a Port Firewall Filter from the RADIUS Server on page 956
Configuring Match Statements on the RADIUS Server

You can configure simple filter conditions using the Juniper-Switching-Filter attribute
in the Juniper dictionary on the RADIUS server. These filters are then sent to a switch
whenever a new user is authenticated successfully. The filters are created and applied
on all EX Series switches that authenticate users through that RADIUS server without
the need to configure anything on each individual switch.
To configure the Juniper-Switching-Filter attribute, enter one or more match conditions
and a resulting action using the CLI for the RADIUS server. Enter the match statement
plus an action statement enclosed within quotes (" ") using the following syntax:
match <destination-mac mac-address> <source-vlan vlan-name> <source-dot1q-tag
tag> <destination-ip ip-address> <ip-protocol protocol-id> <source-port port>
<destination-port port>
}
action [allow | deny] <forwarding-class class-of-service> <loss-priority (low | medium |
high)>
}
See VSA Match Conditions and Actions for EX Series Switches on page 960 for
definitions of match statement options.
To configure match conditions on the RADIUS server:
1.
Verify that the Juniper dictionary is loaded on your RADIUS server and includes
the filtering attribute Juniper-Switching-Filter, attribute ID 48:
[root@freeradius]# cat /usr/local/share/freeradius/dictionary.juniper
# dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR
Juniper
2636
BEGIN-VENDOR
Juniper
954
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
<
2.
Juniper-Local-User-Name
Juniper-Allow-Commands
Juniper-Deny-Commands
Juniper-Allow-Configuration
Juniper-Deny-Configuration
Juniper-Switching-Filter
1
2
3
4
5
48
string
string
string
string
string
string
Enter the match conditions and actions. For example:
To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is
10):
[root@freeradius]#
cd /usr/local/etc/raddb
vi users
For each relevant user, add the Juniper-Switching-Filter attribute:

Juniper-Switching-Filter = "match source-dot1q-tag 10 action deny"
To deny access based on a destination IP address:

[root@freeradius]# cd /usr/local/etc/raddb
vi users

Juniper-Switching-Filter = match destination-ip 192.168.1.0/31 action
deny
To set the packet loss priority (PLP) to high based on a destination MAC
address and the IP protocol:
[root@freeradius]# cd /usr/local/etc/raddb
vi users

Juniper-Switching-Filter = "match destination-mac 00:04:0f:fd:ac:fe,
ip-protocol 2, forwarding-class high, action loss-priority high"
NOTE: For the forwarding-class option to be applied, the forwarding class must be
configured on the switch. If it is not configured on the switch, this option is ignored.
You must specify both the forwarding class and the packet loss priority.
955
3.
Stop and restart the RADIUS process to activate the configuration.
Applying a Port Firewall Filter from the RADIUS Server

You can apply a firewall filter to user policies on the RADIUS server. The RADIUS
server can then specify the firewall filters that are to be applied to each user that
requests to authenticate. Use this method when the firewall filter has more extensive
conditions or you want to use different conditions for the same filter on different
switches. The firewall filters must be configured on each switch.
For more information about firewall filters, see Firewall Filters for EX Series Switches
To apply a port firewall filter centrally from the RADIUS server:
NOTE: If port firewall filters are also configured locally for the interface, then VSAs
take precedence if they conflict with the filters. If the VSAs and the local port firewall
filters do not conflict, they are merged.
1.
Create the firewall filter on the local switch. In this example, the filter is called
filter1.
2.
Open the users file on the RADIUS server:

[root@freeradius]#
cd /usr/local/pool/raddb
vi users
3.
For each relevant user, add the filter (here, the filter ID is filter1):
NOTE: Multiple filters are not supported on a single interface. However, you can
support multiple filters for multiple users that are connected to the switch on the
same interface by configuring a single filter with policies for each of those users.
Related Topics
956
4.
Stop and restart the RADIUS process to activate the configuration.

Applying a Port Firewall Filter from the RADIUS Server
Configuring LLDP (CLI Procedure)

EX Series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
ProtocolMedia Endpoint Discovery (LLDP-MED) to learn and distribute device
information on network links. The information allows the switch to quickly identify
a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.
Enabling LLDP on Interfaces on page 957
Configuring for Fast Start on page 957
Adjusting LLDP Advertisement Settings on page 957
Enabling LLDP on Interfaces

LLDP is enabled on all interfaces by default. If it is disabled, you can enable LLDP
by configuring it on all interfaces or specific interfaces.
To configure LLDP on all interfaces or on a specific interface:
[edit protocols lldp]
user@switch# set interface all
Configuring for Fast Start

You can specify the number of LLDP-MED advertisements sent from the switch in
the first second after it has detected an LLDP-capable device. The default is 3; to set
it to another value:
user@switch# set fast-start 8
Adjusting LLDP Advertisement Settings

You can adjust the following settings for LLDP advertisements for Troubleshooting
or Verification Purposes. For normal operations, we recommend that you do not
adjust these settings from the default values.
Advertisement interval in seconds to specify the frequency at which LLDP

advertisements are sent:
user@switch# set advertisement-interval 45
Specify the multiplier used in combination with the advertisement-interval value

to determine the length of time LLDP information is held before it is discarded:
user@switch# set hold-multiplier 5
Configuring LLDP (CLI Procedure)
957
Related Topics

877
Configuring LLDP (J-Web Procedure)

Use the LLDP Configuration page to configure LLDP global and port settings.
To configure LLDP:
1.
From the Configure menu, select the option Switching > LLDP.
The LLDP Configuration page displays LLDP Global Settings and Port Settings.
The second half of the screen displays operational details for the selected port.
2.
To modify LLDP Global Settings, click Global Settings.

3.
To modify Port Settings, click Edit in the Port Settings section.

Table 128: Global Settings

Field
Function
Your Action
Advertising interval
Specifies the frequency of outbound LLDP advertisements. You can

increase or decrease this interval.
Type the number of seconds.
Hold multiplier
Specifies the multiplier factor to be used by an LLDP-enabled switch

to calculate the time-to-live (TTL) value for the LLDP advertisements
it generates and transmits to LLDP neighbors.
Type the required number in

the field.
Fast start count
Specifies the number of LLDP advertisements sent in the first second

after the device connects. The default is 3. Increasing this number
results in the port initially advertising LLDPMED at a faster rate for
a limited time.
Type the Fast start count.
Table 129: Edit Port Settings

Field
Function
Your Action
LLDP Status
Specifies whether LLDP has been enabled on the port.
Select one: Enabled, Disabled, or None.
LLDP-MED Status
Specifies whether LLDPMED has been enabled on

the port.
Select Enable from the list.
Related Topics
958
Configuring LLDP (J-Web Procedure)

877
Configuring LLDP-MED (CLI Procedure)

Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED) is an extension
of LLDP. The EX Series switch uses LLDP-MED to support device discovery of VoIP
telephones and to create location databases for these telephone locations.
LLDP-MED is turned on by default on EX Series switches.
Enabling LLDP-MED on Interfaces on page 959
Configuring Location Information Advertised by the Switch on page 959
Configuring for Fast Start on page 960
Enabling LLDP-MED on Interfaces

LLDP-MED is enabled on all interfaces by default. If it is disabled, you can enable
LLDP-MED by configuring it on all interfaces or on specific interfaces.
To configure LLDP-MED on all interfaces or on a specific interface:
[edit protocols lldp-med]
user@switch# set interface ge-0/0/2.0
Configuring Location Information Advertised by the Switch

You can configure the location information that is advertised from the switch to the
LLDP-MED device. You can specify a civic-based location (geographic location) or a
location based on an elin (emergency location identification string):
To specify a location by geography:

user@switch# set interface ge-0/0/2.0 location civic-based country-code US
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 1
ca-value El Dorado County
ca-value CA
ca-value Somerset
ca-value Mount Aukum Road
Configuring LLDP-MED (CLI Procedure)
959

ca-value 6450
ca-value Holiday Market
To specify a location using an elin string:

user@switch# set interface ge-0/0/2.0 location elin 4085551212

You can specify the number of LLDP-MED advertisements sent from the switch in
the first second after it has detected an LLDP-MED device. The default is 3; to set it
to another value:
user@switch# set fast-start 6
Related Topics

on page 919

877
VSA Match Conditions and Actions for EX Series Switches

EX Series switches support the configuration of RADIUS server attributes specific to
Juniper Networks. These attributes are known as vendor-specific attributes (VSAs).
They are configured on RADIUS servers and work in combination with 802.1X
authentication. Using VSAs, you can apply port firewall filter attributes as a subset
of match conditions and actions sent from the RADIUS server to the switch as a result
of 802.1X authentication success.
Each term in a VSA configured through the RADIUS server consists of match conditions
and an action. Match conditions are the values or fields that the packet must contain.
You can define single, multiple, or no match conditions. If no match conditions are
specified for the term, the packet is accepted by default. The action is the action that
the switch takes if a packet matches the match conditions for the specific term.
Allowed actions are accept a packet or discard a packet.
The following guidelines apply when you specify match conditions and actions for
VSAs:
960
Both match and action statements are mandatory.
Any or all options (separated by commas) may be included in each match and
action statement.
Fields separated by commas will be ANDed if they are of a different type. The
same types cannot be repeated.
For OR cases (for example, match 10.1.1.0/24 OR 11.1.1.0/24), apply multiple

VSAs to the 802.1X supplicant.
In order for the forwarding-class option to be applied, the forwarding class must
be configured on the switch. If it is not configured on the switch, this option is
ignored.
Table 130 on page 961 describes the match conditions you can specify when
configuring a VSA using the match command on the RADIUS server. The string that
defines a match condition is called a match statement.
Table 130: Match Conditions
Option
Description
destination-mac mac-address
Destination media access control (MAC) address of the packet.
source-vlan source-vlan
Name of the source VLAN.
source-dot1q-tag tag
Tag value in the dot1q header, in the range 0 through 4095.
destination-ip ip-address
Address of the final destination node.
ip-protocol protocol-id
IPv4 protocol value. In place of the numeric value, you can specify one of the
following text synonyms:
ah, egp (8), esp (50, gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89),
pim (103), rsvp (46), tcp (6), or udp (17)
source-port port
TCP or User Datagram Protocol (UDP) source port field. Normally, you specify
this match statement in conjunction with the ip-protocol match statement to
determine which protocol is being used on the port. In place of the numeric
field, you can specify one of the text options listed under destination-port.
961
Table 130: Match Conditions (continued)

Option
Description
destination-port port
TCP or UDP destination port field. Normally, you specify this match in
conjunction with the ip-protocol match statement to determine which protocol
is being used on the port. In place of the numeric value, you can specify one
of the following text synonyms (the port numbers are also listed):
afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cvspserver (2401),
cmd (514), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512),
finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143),
kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760),
kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435),
msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049),
nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct
(1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap
(162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), telnet
(23), tacacs-ds (65), talk (517), tftp (69), timed (525), who (513), xdmcp (177),
zephyr-clt (2103), zephyr-hm (2104)
When you define one or more terms that specify the filtering criteria, you also define
the action to take if the packet matches all criteria. Table 131 on page 962 shows the
actions that you can specify in a term.
Table 131: Actions for VSAs
Option
Description
(allow | deny)
Accept a packet or discard a packet silently without sending an Internet

Control Message Protocol (ICMP) message.
forwarding-class class-of-service
(Optional) Classify the packet in one of the following forwarding classes:
loss-priority (low | medium | high)
Related Topics
962
assured-forwarding
best-effort
network-control
(Optional) Set the packet loss priority (PLP) to low, medium, or high. Specify
both the forwarding class and loss priority.
Chapter 52
Verifying 802.1X and MAC RADIUS

Authentication
Monitoring 802.1X Authentication

Purpose
Use the monitoring feature to display details of authenticated users and users who
have failed authentication.
Action
To display authentication details in the J-Web interface, select Monitoring > Security
> 802.1X.
To display authentication details in the CLI, enter the following commands:
Meaning
show dot1x interface detail | display xml
show dot1x interface detail <interface> | display xml
show dot1x auth-failed-users
The details displayed include:
A list of authenticated users.
The total number of users connected.
A list of users who have failed authentication
You can also specify an interface for which the details must be displayed.
Related Topics

Monitoring 802.1X Authentication
963
Verifying 802.1X Authentication

Purpose
Action
Verify that supplicants are being authenticated on an interface on an EX Series switch

with the interface configured for 802.1X authentication, and display the method of
authentication being used.
Display detailed information about an interface configured for 802.1X (here, the
interface is ge-0/0/16):
ge-0/0/16.0
Role: Authenticator
Mac Radius: Enabled
Supplicant: user5, 00:30:48:8C:66:BD
Authentication method: Radius
Meaning
The sample output from the show dot1x interface detail command shows that the
Number of connected supplicants is 1. The supplicant that was authenticated and is
now connected to the LAN is known as user5 on the RADIUS server and has the MAC
address 00:30:48:8C:66:BD. The supplicant was authenticated by means of the
802.1X authentication method called Radius authentication. When the Radius
authentication method is used, the supplicant is configured on the RADIUS server,
the RADIUS server communicates this to the switch, and the switch opens LAN access
on the interface to which the supplicant is connected. The sample output also shows
that the supplicant is connected to VLAN v200.
Other 802.1X authentication methods supported on EX Series switches in addition
to the RADIUS method are:
Guest VLANA nonresponsive host is granted Guest-VLAN access.
MAC RadiusA nonresponsive host is authenticated based on its MAC address.
The MAC address is configured as permitted on the RADIUS server, the RADIUS
server lets the switch know that the MAC address is a permitted address, and
the switch opens LAN access to the nonresponsive host on the interface to which
it is connected.
Server-fail denyIf the RADIUS servers time out, all supplicants are denied access
to the LAN, preventing traffic from flowing from the supplicant through the
interface. This is the default.
964
Chapter 52: Verifying 802.1X and MAC RADIUS Authentication
Server-fail permitWhen the RADIUS server is unavailable, a supplicant is still
permitted access to the LAN as if the supplicant had been successfully

authenticated by the RADIUS server.
Server-fail use-cacheIf the RADIUS servers time out during reauthentication,
previously authenticated supplicants are granted access, but new supplicants

are denied LAN access.
Server-fail VLANA supplicant is configured to be moved to a specified VLAN if
the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN

must already exist on the switch.)
Related Topics
965
966
Chapter 53
Configuration Statements for Access

Control
[edit access] Configuration Statement Hierarchy on page 967

access {
profileprofile-name {
accounting {
order [ radius | none ];
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
Related Topics

page 883

analyzer {
name {
ratio number;
input {
ingress {
967
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100]) ;
}
no-mac-learning;
}
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
968
Chapter 53: Configuration Statements for Access Control

use-string string;
}
vendor-id [string];
}
}
}
storm-control {
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Related Topics
on page 574

protocols {
969
connections {
}
}
dot1x {
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
}
}
}
gvrp {
<enable | disable>;
disable;
}
}
igmp-snooping {
traceoptions {
<match regex>;
}
data-forwarding {
source {
}
receiver {
install ;
970
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
lldp {
disable;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
path destination {
971

}
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
traceoptions {
no-world-readable>;
flag flag;
}
}
oam {
ethernet{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
972
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
973
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
block;
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
974
Related Topics


877


on page 1661
975
access
Syntax
Hierarchy Level
Release Information
Description
access {
profile profile-name {
authentication-order [ldap radius | none];
accounting {
order [radius | none];
}
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
}
[edit]

Configure authentication, authorization, and accounting (AAA) services.
Default
Related Topics
976
access
Not enabled
adminTo view this statement in the configuration.
admin-controlTo add this statement to the configuration.

page 883
accounting
Syntax
Hierarchy Level
Release Information
Description
accounting {
order radius | none;
}
}
[edit access profile profile-name]

Configure the authentication order for authentication, authorization, and accounting
(AAA) services.
Default
Not enabled
Options
noneUse no authentication for specified subscribers.

radiusUse RADIUS authentication for specified subscribers.

Related Topics


page 883

876
accounting
977
accounting-server
Syntax
Hierarchy Level
Release Information
Description

Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.
Not enabled
Options
server-addressesOne or more addresses of RADIUS authentication servers.
Related Topics
[edit access profile profile-name radius]
Default
978
accounting-server

show network-access aaa statistics authentication

page 883

876
accounting-stop-on-access-deny
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
[edit access profile profile-name accounting]

Configures the authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if the AAA server denies access to a
supplicant.
Not enabled

page 883
accounting-stop-on-failure
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics

Configure authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if a supplicant fails AAA authorization,
but the RADIUS server grants access. For example, a supplicant might fail AAA
authentication due to an internal error such as a timeout.
Not enabled

page 883

876
979
advertisement-interval
Syntax
Hierarchy Level
Release Information
Description

For switches configured for Link Layer Discovery Protocol, configure the frequency
at which LLDP advertisements are sent.
Default
Disabled.
Options
seconds(Optional) The number of seconds.
Range: 5 through 32,768 seconds

Default: 30 seconds
Related Topics
980

show lldp

877
advertisement-interval
authentication-order
Syntax
Hierarchy Level
Release Information
Description
authentication-order [ldap radius | none];


Configure the order of authentication, authorization, and accounting (AAA) servers
to use while sending authentication messages.
Default
Not enabled
Options
ldapLightweight Directory Access Protocol.

noneNo authentication for specified subscribers.
radiusRemote Authentication Dial-In User Service authentication.

Related Topics


page 883
authentication-order
981
authentication-profile-name
Syntax
Hierarchy Level
Release Information
Description
authentication-profile-name access-profile-name;

Specify the name of the access profile to be used for 802.1X or MAC RADIUS
authentication.
Default
No access profile is specified.
Options
access-profile-nameName of the access profile. The access profile is configured at

the [edit access profile] hierarchy level and contains the RADIUS server IP address
and other information used for 802.1X authentication.

Related Topics
982


page 883

page 902
authentication-profile-name
authentication-server
Syntax
Hierarchy Level
Release Information
Description
[edit access profile profile-name radius]

Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.
Default
Not enabled
Options
server-addresses Configure one or more RADIUS server addresses.

Related Topics


page 883

page 883
983
authenticator
Syntax
Hierarchy Level
Release Information
Description
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
supplicant (single | single-secure | multiple);
}
vlan-assignment vlan-identifier;
}
}

Configure an authenticator for 802.1X authentication.
Default
Related Topics
984
authenticator
No static MAC address or VLAN is configured.


on page 942

Switch on page 897

page 879
ca-type
Syntax
Hierarchy Level
Release Information
Description
ca-type {
number {
ca-value value;
}
}
[edit protocols lldp-med interface (all | interface-name location civic-based)]

For Link Layer Discovery ProtocolMedia Endpoint Device (LLDP-MED), configure
the address elements. These elements are included in the location information to be
advertised from the switch to the MED. This information is used during emergency
calls to identify the location of the MED.
For further information about the values that can be used to comprise the location,,
refer to RFC 4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option
for Civic Addresses Configuration Information. A subset of those values is provided
below.
The ca-value statement is explained separately.
Default
Disabled.
Options
valueCivic address elements that represent the civic or postal address. Values are:

Related Topics
0A code that specifies the language used to describe the location.
16The leading-street direction, such as N.
17A trailing street suffix, such as SW.
18A street suffix or type, such as Ave or Platz.
19A house number, such as 6450.
20A house-number suffix, such as A or 1/2.
21A landmark, such as Stanford University.
22Additional location information, such as South Wing.
23The name and occupant of a location, such as Carrillo's Holiday Market.
24A house-number suffix, such as 95684.
25A building structure, such as East Library.

show lldp

on page 919
ca-type
985
ca-value
Syntax
Hierarchy Level
Release Information
Description

location information, such as street address and city, that is indexed by the ca-type
code. This information is advertised from the switch to the MED and is used during
emergency calls to identify the location of the MED.
Disabled.
Options
valueSpecify a value that correlates to the ca-type. See ca-type for a list of codes
and suggested values.
Related Topics
[edit protocols lldp-med interface (all | interface-name ) location civic-based ca-type

number]
Default
986
ca-value value;
ca-value

show lldp

on page 919
civic-based
Syntax
Hierarchy Level
Release Information
Description
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
[edit protocols lldp-med interface (all | interface-name) location]

For Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED), configure
the geographic location to be advertised from the switch to the MED. This information
is used during emergency calls to identify the location of the MED.
Default
Related Topics
Disabled.
show lldp

on page 919
civic-based
987
country-code
Syntax
Hierarchy Level
Release Information
Description
country-code code;
[edit protocols lldp-med interface (all | interface-name)]

the two-letter country code to include in the location information. Location information
is advertised from the switch to the MED, and is used during emergency calls to
identify the location of the MED. The country code is required when configuring
LLDP-MED based on location.
Default
Disabled.
Options
codeTwo-letter ISO 3166 country code in capital ASCII letters; for example, US or
DE.
Related Topics
988
country-code

show lldp

on page 919
disable
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
disable;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Disable 802.1X authentication on a specified interface or all interfaces.
802.1X authentication is disabled on all interfaces.
show dot1x



on page 919

Switch on page 897
disable
989
disable
Syntax
Hierarchy Level
Release Information
Description
Default

Related Topics
disable;
[edit protocols lldp],
[edit protocols interface lldp]

Disable the LLDP configuration on the switch or on one or more interfaces.
If you do not configure LLDP, it is disabled on the switch and on specific switch
interfaces.
show lldp

877
disable
Syntax
Hierarchy Level
Release Information
Description
Default

Related Topics
990
disable
disable;
[edit protocols lldp-med],
[edit protocols lldp-med interface]

Disable the LLDP-MED configuration on the switch or on one or more interfaces.
If you do not configure LLDP-MED, it is disabled on the switch and on specific switch
interfaces.
show lldp

877
dot1x
Syntax
Hierarchy Level
Release Information
Description
dot1x {
authenticator {
disable;
guest-vlan (vlan-id | vlan-name);
reauthentication {
interval seconds;
}
retries number;
}
interface interface-names;
}
}
}
[edit protocols]

Configure 802.1X authentication for Port-Based Network Access Control. 802.1X
authentication is supported on interfaces that are members of private VLANs
(PVLANs).
Default
Related Topics
802.1X is disabled.
show dot1x


dot1x
991

on page 919

Switch on page 897

page 902
elin
Syntax
Hierarchy Level
Release Information
Description
elin

the Emergency Line Identification Number (ELIN) as location information. Location
information is advertised from the switch to the MED device and is used during
emergency calls to identify the location of the MED device.
Disabled.
Options
numberConfigure a 10-digit number (area code and telephone number).
Related Topics
[edit protocols lldp-med interface (all | interface-name location)]
Default
992
elin number;

show lldp

on page 919
Syntax
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100)
}
no-mac-learning;
}
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
993
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
no-world-readable>;
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Hierarchy Level
994
[edit]
Release Information
Description

Series switches.
switches.
EX Series switches.

Related Topics

on page 574
995
fast-start
Syntax
Hierarchy Level
Release Information
Description
Options
fast-start count;

Configure the number of Link Layer Discovery ProtocolMedia Endpoint Discovery
(LLDP-MED) advertisements sent from the switch in the first second after it has
detected an LLDP-MED device (such as an IP telephone).
countNumber of advertisements.
Range: 1 through 10
Default: 3
Related Topics
996
fast-start

show lldp

877
forwarding-class
Syntax
Hierarchy Level
Release Information
Description
forwarding-class < assured-forwarding | best-effort | expedited-forwarding |network-control

>;
[edit ethernet-switching-options voip interface <all | interface-name | access-ports]>

For EX Series switches, configure the forwarding class used to handle packets on the
VoIP interface.
Default
Disabled.
Options
classForwarding class:
assured-forwarding Assured forwarding (AF)Provides a group of values you
can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with
three drop probabilities: low, medium, and high.
best-effortProvides no service profile. For the best effort forwarding class, loss
priority is typically not carried in a class-of-service (CoS) value, and random early
detection (RED) drop profiles are more aggressive.
expedited-forwadingProvides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.
network-controlProvides a typically high priority because it supports protocol
control.
Related Topics


on page 919


Support on page 932
forwarding-class
997
guest-vlan
Syntax
Hierarchy Level
Release Information
Description
guest-vlan (vlan-id | vlan-name);

[edit protocols dot1x authenticator interface (all | [interface-names ])]

Specify the VLAN to which an interface is moved when no 802.1X supplicants are
connected on the interface. The VLAN specified must already exist on the switch.
Default
None
Options
vlan-idVLAN tag identifier of the guest VLAN.

vlan-nameName of the guest VLAN.

Related Topics
998
guest-vlan


hold-multiplier
Syntax
Hierarchy Level
Release Information
Description

Specify the multiplier used in combination with the advertisement-interval value to
determine the length of time LLDP information is held before it is discarded. The
default value is 4 (or 120 seconds).
Default
Disabled.
Options
numberA number used as a multiplier.
Range: 2 through 10
Default: 4 (or 120 seconds)
Related Topics

show lldp

877
hold-multiplier
999
interface
Syntax
Hierarchy Level
Release Information
Description

disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}

Configure Link Layer Discovery ProtocolMedia Endpoint Discovery (LLDP-MED) on
all interfaces or on a specific interface.
Default
Not enabled
Options
allAll interfaces on the switch.

interface-nameName of a specific interface.

Related Topics
1000
interface

show lldp

on page 919

877
interface
Syntax
Hierarchy Level
Release Information
Description

disable;
}

Configure Link Layer Discovery Protocol (LLDP) on all interfaces or on a specific
interface.
Default
None
Options

interface-nameName of a specific interface.

Related Topics


877
interface
1001
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface (all | [interface-name] | access-ports) {

vlan vlan-name );
network-control>;
}
[edit ethernet-switching-options voip]

Enable voice over IP (VoIP) for all interfaces or specific interfaces.
all | interface-name | access-portsEnable VoIP on all interfaces, on a specific
interface, or on all access ports.

Related Topics
1002
interface


on page 919


Support on page 932
interface
Syntax
Hierarchy Level
Release Information
Description
Options

disable;
guest-vlan (vlan-name | vlan-id);
reauthentication {
interval seconds;
}
retries number;
}

Configure 802.1X authentication for Port-Based Network Access Control for all
interfaces or for specific interfaces.
allConfigure all interfaces for 802.1X authentication.
[ interface-names ] List of names of interfaces to configure for 802.1X authentication.

Related Topics

show dot1x



on page 919

page 902
interface
1003
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface [interface-names];
[edit protocols dot1x authenticator authentication-profile-name static mac-address]

For MAC addresses that are on the static MAC list and excluded from 802.1X
authentication, configure a list of interfaces from which this MAC address is allowed
to connect to the LAN. If it is detected on any other interface, the authentication is
not bypassed.
interface-names A list of interfaces from which this MAC address is allowed to
connect to the LAN.

Related Topics
1004
interface

show dot1x static-mac-address
vlan-assignmentshow dot1x static-mac-address

Switch on page 897

page 879
lldp
Syntax
Hierarchy Level
Release Information
Description
lldp {
disable;
fast-start number;
disable;
}
traceoptions {
regex>;
}
}
[edit protocols]

Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise
its identity and capabilities on a LAN, as well as receive information about other
network devices. LLDP is defined in the IEEE standard 802.1AB-2005.
Default
Related Topics
LLDP is enabled.
show lldp

877
lldp
1005
lldp-med
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
Syntax
Hierarchy Level
Release Information
Description
[edit protocols]

Configure Link Layer Discovery ProtocolMedia Endpoint Discovery. LLDP-MED is
an extension of LLDP. The switch uses LLDP-MED to support device discovery of
VoIP telephones and to create location databases for these telephone locations for
emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057 by the
Telecommunications Industry Association (TIA).
Default
Related Topics
1006
lldp-med
Disabled.
show lldp

on page 919
location
Syntax
Hierarchy Level
Release Information
Description
location {
elin number;
civic-based {
what number;
country-code code;
ca-type{
number {
ca-value value;
}
}
}
}
[edit protocols lldp-med interface (all | interface-name)]

the location information. Location information is advertised from the switch to the
MED. This information is used during emergency calls to identify the location of the
MED.
Default
Related Topics
Disabled.
show lldp

on page 919
location
1007
mac-radius
Syntax
Hierarchy Level
Release Information
Description
mac-radius <flap-on-disconnect> <restrict>;

[edit protocols dot1x authenticator interface interface-name]

Option flap-on-disconnect introduced in JUNOS Release 9.4 for EX Series switches.
Configure MAC RADIUS authentication for specific interfaces. MAC RADIUS
authentication allows LAN access to permitted MAC addresses. When a new MAC
address appears on an interface, the switch consults the RADIUS server to check
whether the MAC address is a permitted address. If the MAC address is configured
on the RADIUS server, the device is allowed access to the LAN.
If MAC RADIUS is configured, the switch first tries to get a response from the host
for 802.1X authentication. If the host is unresponsive, the switch attempts to
authenticate using MAC RADIUS.
To restrict authentication to MAC RADIUS only, use the restrict option. In restrictive
mode, all 802.1X packets are eliminated and the attached device on the interface is
considered a nonresponsive host.
Options
flap-on-disconnect(Optional) When the RADIUS server sends a disconnect message
to a supplicant, the switch resets the interface on which the supplicant is

authenticated. If the interface is configured for multiple supplicant mode, the
switch resets all the supplicants on the specified interface. This option takes
effect only when the restrict option is also set.
restrict(Optional) Restricts authentication to MAC RADIUS only. When mac-radius
restrict is configured the switch drops all 802.1X packets. This option is useful
when no other 802.1X authentication methods, such as guest VLAN, are needed
on the interface, and eliminates the delay that occurs while the switch determines
that a connected device is a non-802.1X-enabled host.
Related Topics
1008
mac-radius

show dot1x

page 902

maximum-requests
Syntax
Hierarchy Level
Release Information
Description

For 802.1X authentication, configure the maximum number of times an EAPOL
request packet is retransmitted to the supplicant before the authentication session
times out.
Default
Two retransmission attempts
Options
numberNumber of retransmission attempts.
Range: 1 through 10
Default: 2
Related Topics

no-reauthentication
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics

For 802.1X authentication, disables reauthentication.
Not disabled
maximum-requests
1009
order
Syntax
Hierarchy Level
Release Information
Description


Configure the order of authentication, authorization, and accounting (AAA) servers
to use while sending accounting messages and updates.
Default
Not enabled
Options
noneNo accounting for specified subscribers.

radiusRemote Authentication Dial-In User Service accounting for specified
subscribers.
[ radius | none ] Use multiple types of accounting in the order specified. RADIUS
accounting is initially used. However, if RADIUS servers are not available, no

accounting is done.
Related Topics
1010
order


page 883
profile
Syntax
Hierarchy Level
Release Information
Description
profile profile-name {
accounting {
}
authentication-order [authentication-method];
radius {
}
}
[edit access]

Configure an access profile. The access profile contains the entire authentication,
authorization, and accounting (AAA) configuration that aids in handling AAA requests,
including the authentication method and order, AAA server addresses, and AAA
accounting.
Default
Not enabled
Options
profile-name Profile name of up to 32 characters.

Related Topics


page 883
profile
1011
quiet-period
Syntax
Hierarchy Level
Release Information
Description

For 802.1X authentication, configure the number of seconds the interface remains
in the wait state following a failed authentication attempt by a supplicant before
reattempting authentication.
Default
60 seconds
Options
secondsNumber of seconds the interface remains in the wait state.

Default: 60 seconds
Related Topics
1012
quiet-period


page 883
radius
Syntax
Hierarchy Level
Release Information
Description
radius {
}

Configure the Remote Authentication Dial-In User Service (RADIUS) servers for
authentication and for accounting. To configure multiple RADIUS servers, include
multiple radiusstatements. The servers are tried in order and in a round-robin fashion
until a valid response is received from one of the servers or until all the configured
retry limits are reached.

Related Topics


page 883
radius
1013
reauthentication
Syntax
Hierarchy Level
Release Information
Description
reauthentication {
interval seconds;
}

For 802.1X authentication, specify reauthentication parameters.
Default
3600 seconds.
Options
disableDisables the periodic reauthentication of the supplicant.

interval seconds Sets the periodic reauthentication time interval. The range is 1
through 65,535 seconds.

Related Topics
1014

reauthentication
retries
Syntax
Hierarchy Level
Release Information
Description
retries number;

For 802.1X authentication, configure the number of times the switch attempts to
authenticate the port after an initial failure. The port remains in a wait state during
the quiet period after the authentication attempt.
Default
3 retries
Options
number Number of retries.
Range: 1 through 10
Default: 3
Related Topics

retries
1015
server-fail
Syntax
Hierarchy Level
Release Information
Description


For EX Series switches configured for 802.1X authentication, specify the server fail
fallback action the switch takes when all RADIUS authentication servers are
unreachable.
When you specify the action vlan-name or vlan-id, the VLAN must already be configured
on the switch.
Default
Authentication is denied.
Options
denyForce fail the supplicant authentication. No traffic will flow through the
interface.
permitForce succeed the supplicant authentication. Traffic will flow through the
interface as if it were successfully authenticated by the RADIUS server.

use-cacheForce succeed the supplicant authentication only if it was previously
authenticated successfully. This action ensures that already authenticated

supplicants are not affected.
vlan-idMove supplicant on the interface to the VLAN specified by this numeric
identifier. This action is allowed only if it is the first supplicant connecting to the
interface. If an authenticated supplicant is already connected, then the supplicant
is not moved to the VLAN and is not authenticated.
vlan-nameMove supplicant on the interface to the VLAN specified by this name.
This action is allowed only if it is the first supplicant connecting to an interface.

If an authenticated supplicant is already connected, then the supplicant is not
moved to the VLAN and is not authenticated.
Related Topics
1016
server-fail

show dot1x


page 883

server-reject-vlan
Syntax
Hierarchy Level
Release Information
Description


For EX Series switches configured for 802.1X authentication, specify that when the
switch receives an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject
message during the authentication process between the switch and the RADIUS
authentication server, supplicants attempting access to the LAN are granted access
and moved to a specific VLAN. Any VLAN name or VLAN ID sent by a RADIUS server
as part of the EAPOL Access-Reject message is ignored.
When you specify the VLAN ID or VLAN name, the VLAN must already be configured
on the switch.
Default
None
Options
vlan-id Numeric identifier of the VLAN to which the supplicant is moved.

vlan-nameName of the VLAN to which the supplicant is moved.

Related Topics

show dot1x

page 883

server-reject-vlan
1017
server-timeout
Syntax
Hierarchy Level
Release Information
Description
[edit protocols dot1x authenticator interface (all | [interface-name])

For 802.1X authentication, configure the amount of time a port will wait for a reply
when relaying a response from the supplicant to the authentication server before
timing out and invoking the server-fail action.
Default
30 seconds
Options
seconds Number of seconds.

Default: 30 seconds
Related Topics
1018
server-timeout

show dot1x
clear dot1x

page 883
static
Syntax
Hierarchy Level
Release Information
Description
interface interface-names;
vlan-assignment (vlan-id |vlan-name );
}
[edit protocols dot1x authenticator authentication-profile-name]

Configure MAC addresses to exclude from 802.1X authentication. The static MAC
list provides an authentication bypass mechanism for supplicants connecting to a
port, permitting devices such as printers that are not 802.1X-enabled to be connected
to the network on 802.1X-enabled ports.
Using this 802.1X authentication-bypass mechanism, the supplicant connected to
the MAC address is assumed to be successfully authenticated and the port is opened
for it. No further authentication is done for the supplicant.
You can optionally configure the VLAN that the supplicant is moved to or the interfaces
on which the MAC address can gain access from.
Options
mac-address The MAC address of the device for which 802.1X authentication should
be bypassed and the device permitted access to the port.

Related Topics


Switch on page 897

page 879
static
1019
supplicant
Syntax
Hierarchy Level
Release Information
Description


For 802.1X authentication, configure the method used to authenticate supplicants.
Default
Single.
Options
singleAuthenticates only the first supplicant that connects to an authenticator port.
All other supplicants connecting to the authenticator port after the first supplicant,
regardless if they are 802.1X-enabled or not, are permitted free access to the
port without further authentication. If the first authenticated supplicant logs out,
all other supplicants are locked out until a supplicant authenticates again.
single-secureAuthenticates only one supplicant to connect to an authenticator port.
No other supplicants can connect to the authenticator port until the first supplicant
logs out.
multipleAuthenticates multiple supplicants individually on one authenticator port.
You can configure the number of supplicants per port. If you configure a
maximum number of devices that can be connected to a port through port
security settings, the lower of the configured values is used to determine the
maximum number of supplicants allowed per port.
Related Topics
1020
supplicant

supplicant-timeout

supplicant-timeout
Syntax
Hierarchy Level
Release Information
Description

For 802.1X authentication, configure how long the port waits for a response when
relaying a request from the authentication server to the supplicant before resending
the request.
Default
30 seconds
Options
seconds Number of seconds.

Default: 30 seconds
Related Topics

supplicant

supplicant-timeout
1021
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
regex>;
flag flag ;
}

Define tracing operations for the 802.1X protocol.
Default
Options
file number(Optional) Maximum number of trace files. When a trace file named
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to
specify gigabytes number of trace files is reached. Then the oldest trace file is
overwritten. If you specify a maximum number of files, you also must specify a
maximum file size with the sizeoption.
Default: 3 files
config-internalTrace internal configuration operations.
generalTrace general operations.
normalTrace normal operations.
regex-parseTrace regular-expression parsing operations.
stateTrace protocol state changes.
taskTrace protocol task operations.
timerTrace protocol timer operations.
expression.
1022
traceoptions
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte
Range: 10 KB through 1gigabyte
Default: 128 KB
Related Topics

show lldp
traceoptions
1023
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
regex>;
}

Define tracing operations for the LLDP protocol.
Default
Options
files number(Optional) Maximum number of trace files. When a trace file named
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GB number of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the size option.
Default: 3 files
configTrace configuration operations.
packetTrace packet events.
rtsockTrace routing socket operations.
expression.
no-world-readable(Optional) Restrict file access to the user who created the file.
with the files option.
Range: 10 KB through 1 GB
1024
traceoptions
Default: 128 KB
Related Topics


877
transmit-delay
Syntax
Hierarchy Level
Release Information
Description
transmit-delay seconds;

Configure the delay between 2 successive LLDP advertisements.
Default
Disabled.
Options
secondsNumber of seconds between two successive LLDP advertisements.

Default: 2
Related Topics

show lldp

877
transmit-delay
1025
transmit-period
Syntax
Hierarchy Level
Release Information
Description

For 802.1X authentication, how long the port waits before retransmitting the initial
EAPOL PDUs to the supplicant.
30 seconds
Options
secondsNumber of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant.
Default: 30 seconds
Related Topics
Default
1026
transmit-period

vlan
Syntax
Hierarchy Level
Release Information
Description
Options
vlan (vlan-id | vlan-name | untagged);

[edit ethernet-switching-options voip interface (all | [interface-name | access-ports])
Statement introduced in JUNOS Release 9.0 for EX-series switches.

For EX Series switches, specify the VLAN name or VLAN tag identifier associated
with the VLAN to be sent from the authenticating server to the IP phone.
vlan-idThe VLAN tag identifier.
Range: 0 through 4095. Tags 0 and 4095 are reserved by JUNOS Software, and
you should not configure them.
untaggedAllow untagged VLAN traffic.

Related Topics


on page 919


Support on page 932
vlan
1027
vlan-assignment
Syntax
Hierarchy Level
Release Information
Description
Options
vlan-assignment (vlan-id | vlan-name);

[edit protocols dot1x authenticator authentication-profile-name static mac-address]

For MAC addresses that are on the static MAC list and excluded from 802.1X
authentication, configure the VLAN that is associated with the device.
vlan-id | vlan-name The name of the VLAN or the VLAN tag identifier to associate
with the device. The VLAN already exists on the switch.

Related Topics
1028


Switch on page 897

page 879
vlan-assignment
voip
Syntax
Hierarchy Level
Release Information
Description
voip {
vlan vlan-name );
network-control>;
}
}

Configure voice over IP (VoIP) interfaces.

Related Topics


on page 919


Support on page 932
voip
1029
what
Syntax
Hierarchy Level
Release Information
Description
what number;
[edit protocols lldp-med interface (all | interface-name) location civic-based]

Modified in JUNOS Release 9.2 for EX Series switches to display new default.
the location to which the DHCP entry refers. This information is advertised, along
with other location information, from the switch to the MED. It is used during
emergency calls to identify the location of the MED.
Options 0 and 1 should not be used unless it is known that the DHCP client is in
close physical proximity to the server or network element.
Default
Options
numberLocation:

Related Topics
1030
what
0Location of the DHCP server.
1Location of a network element believed to be closest to the client.
2Location of the client.

show lldp

on page 919
Chapter 54
1031
clear dot1x
Syntax
Release Information
Description
clear dot1x
(interface (all | [interface-names]) | mac-address [mac-addresses])

Reset the authentication state of a port. When you reset a port, reauthentication on
the port is also triggered. The switch sends out a multicast message on the port to
restart the authentication of all connected supplicants. If a MAC address is reset, then
the switch sends out a unicast message to that specific MAC address to restart
authentication.
If a supplicant is sending traffic when the clear dot1x interface command is issued,
the authenticator immediately initiates reauthenticataion. This process happens very
quickly, and it may seem that reauthentication did not occur. To verify that
reauthentication has happened, issue the operational mode command show dot1x
interface detail. The value for Reauthentication due and Reauthentication interval will
be about the same.
Options
all(Optional) Clears all ports, or specific ports or specific MAC addresses.

interface interface-names(Optional) Resets the authentication state of all supplicants
connected to the specified ports (when the port is an authenticator) or for itself
(when the port is a supplicant).
mac-address mac-addressesResets the authentication state only for the specified
MAC addresses.
Related Topics

clear dot1x interface
clear dot1x mac-address
1032
clear dot1x
view
show dot1x

clear dot1x interface on page 1032

clear dot1x mac-address on page 1032
user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0]
user@switch> clear dot1x macaddress 00:04:ae:cd:23:5f
Chapter 54: Operational Commands for 802.1X
clear lldp neighbors

Syntax
Release Information
Description
Options

<interface interface>

Clear the learned remote neighbor information on all or selected interfaces.
noneClear the remote neighbor information on all interfaces.
interface interface(Optional) Clear the remote neighbor information from one or
more selected interfaces.

Related Topics

view
show lldp

877
clear lldp neighbors on page 1033

clear lldp neighbors interface ge-0/1/1.0 on page 1033
user@switch> clear lldp neighbors
user@switch> clear lldp neighbors interface ge-0/1/1.0
1033
clear lldp statistics

Syntax
Release Information
Description
Options

<interface interface>

Clear LLDP statistics on one or more interfaces.
noneClears LLDP statistics on all interfaces.
interface interface-names(Optional) Clear LLDP statistics on one or more interfaces.

Related Topics

1034
view

877
clear lldp statistics on page 1034

clear lldp statistics interface ge-0/1/1.0 on page 1034
user@switch> clear lldp statistics
user@switch> clear lldp statistics interface ge-0/1/1.0
show dot1x
Syntax
Release Information
Description
Options
show dot1x
<brief | detail>
<interface [interface-names]>

Display the current operational state of all ports with the list of connected users.
noneDisplay information for all authenticator ports.
interface interface-namesDisplay information for the specified port with a list of
connected supplicants.
Related Topics

Output Fields
view
clear dot1x



page 883

page 902

on page 919
show dot1x interface brief on page 1038

show dot1x interface detail on page 1038
Table 132 on page 1035 lists the output fields for the show dot1x command. Output
fields are listed in the approximate order in which they appear.
Table 132: show dot1x Output Fields

Field Name
Field Description
Level of Output
Interface
Name of a port.
All levels
MAC address
The MAC address of the connected supplicant on the port.
All levels
show dot1x
1035
Table 132: show dot1x Output Fields (continued)

Field Name
Field Description
Level of Output
Role
The 802.1X authentication role of the interface. When 802.1X is enabled on

an interface, the role is Authenticator. As Authenticator, the interface blocks LAN
access until a supplicant is authenticated through 802.1X or MAC RADIUS
authentication.
brief, detail
State
The state of the port:
brief
AuthenticatedThe supplicant has been authenticated through the RADIUS
server or has been permitted access through server fail fallback.
AuthenticatingThe supplicant is authenticating through the RADIUS server.
HeldAn action has been triggered through server fail fallback during a
RADIUS server timeout. A supplicant is denied access, permitted access

through a specified VLAN, or maintains the authenticated state granted
to it before the RADIUS server timeout occurred.
Administrative state
The administrative state of the port:
detail
autoTraffic is allowed through the port based on the authentication
result. (Default)
force-authorizeAll traffic flows through the port irrespective of the
authentication result. This state is not allowed on an interface whose VLAN

membership has been set to dynamic.
force-unauthorizeAll traffic drops on the port irrespective of the
authentication result. This state is not allowed on an interface whose VLAN

membership has been set to dynamic.
The mode for the supplicant:
Supplicant
detail
singleAuthenticates only the first supplicant. All other supplicants who
connect later to the port are allowed full access without any further
authentication. They effectively piggyback on the first supplicants
authentication.
single-secureAllows only one supplicant to connect to the port. No other
supplicant is allowed to connect until the first supplicant logs out.
multipleAllows multiple supplicants to connect to the port. Each
supplicant is authenticated individually.

Quiet period
The number of seconds the port remains in the wait state following a failed
authentication exchange with the supplicant before reattempting the
authentication. The default value is 60 seconds. The range is 0 through 65,535
seconds.
detail
Transmit period
The number of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant. The default value is 30 seconds. The range is 1 through
65,535 seconds.
detail
MAC radius
MAC RADIUS authentication:
detail
enabledThe switch sends an EAPOL request to the connecting host to
attempt 802.1X authentication and if the connecting host is unresponsive,

the switch tries to authenticate using the MAC address.
disabledThe default. The switch will not attempt to authenticate the
MAC address of the connecting host.
1036
show dot1x

Field Name
Field Description
Level of Output
MAC radius restrict
The authentication method is restricted to MAC RADIUS only. 802.1X

authentication is not enabled.
detail
Reauthentication
The reauthentication state:
detail
disablePeriodic reauthentication of the client is disabled.
intervalSets the periodic reauthentication time interval. The default value
is 3600 seconds. The range is 1 through 65,535 seconds.

Supplicant timeout
The number of seconds the port waits for a response when relaying a request
from the authentication server to the supplicant before resending the request.
The default value is 30 seconds. The range is 1 through 60 seconds.
detail
Server timeout
The number of seconds the port waits for a reply when relaying a response
from the supplicant to the authentication server before timing out. The default
value is 30 seconds. The range is 1 through 60 seconds.
detail
Maximum EAPOL
requests
The maximum number of retransmission times of an EAPOL request packet

to the supplicant before the authentication session times out. The default value
is 2. The range is 1 through 10.
detail
Number of clients
bypassed because of
authentication
The number of non-802.1X clients granted access to the LAN by means of

static MAC bypass. The following fields are displayed:
detail
ClientMAC address of the client.
vlan The name of the VLAN to which the client is connected.
Guest VLAN member
The VLAN to which a supplicant is connected when the supplicant is

authenticated using a guest VLAN. If a guest VLAN is not configured on the
interface, this field displays <not configured>.
detail
Number of connected
supplicants
The number of supplicants connected to a port.
detail
Supplicant
The user name and MAC address of the connected supplicant.
detail
show dot1x
1037

Field Name
Field Description
Level of Output
Authentication
method
The 802.1X authentication method used for a supplicant:
detail
Guest VLANA supplicant is connected to the LAN through the guest VLAN.
MAC RadiusA nonresponsive host is authenticated based on its MAC
address. The MAC address is configured as permitted on the RADIUS

server, the RADIUS server lets the switch know that the MAC address is
a permitted address, and the switch opens LAN access to the
nonresponsive host on the interface to which it is connected.
RadiusA supplicant is configured on the RADIUS server, the RADIUS
server communicates this to the switch, and the switch opens LAN access
on the interface to which the supplicant is connected.
Server-fail denyIf the RADIUS servers time out, all supplicants are denied
access to the LAN, preventing traffic from flowing from the supplicant
through the interface. This is the default.
Server-fail permitWhen the RADIUS server is unavailable, a supplicant
is still permitted access to the LAN as if the supplicant had been

successfully authenticated by the RADIUS server.
Server-fail use-cacheIf the RADIUS servers time out during
reauthentication, previously authenticated supplicants are reauthenticated,

but new supplicants are denied LAN access.
Server-fail VLANA supplicant is configured to be moved to a specified
VLAN if the RADIUS server is unavailable to reauthenticate the supplicant.

(The VLAN must already exist on the switch.)
Authenticated VLAN
The VLAN to which the supplicant is connected.
detail
Dynamic filter
User policy filter sent by the RADIUS server.
detail
Session Reauth
interval
The configured reauthentication interval.
detail
Reauthentication due
in
The number of seconds in which reauthentication will occur again for the
connected supplicant.
detail
show dot1x interface

brief
user@switch> show dot1x interface [ge-0/0/1 ge-0/0/2 ge0/0/3] brief

Interface Role
State
--------- -------ge-0/0/1 Authenticator Authenticated
Authenticating
ge-0/0/2 Authenticator Connecting
ge-0/0/3 Supplicant
Authenticated
show dot1x interface

detail

ge-0/0/16.0
Role: Authenticator
1038
show dot1x
MAC address
-----------------00:a0:d2:18:1a:c8
00:a0:e5:32:97:af
00:a6:55:f2:94:ae
Mac Radius: Enabled

Supplicant: abc, 00:30:48:8C:66:BD
Authentication method: Radius
show dot1x
1039
show dot1x authentication-failed-users

Syntax
show dot1x static-mac-address (interface [interface-name])
Release Information
Description
Displays supplicants (users) that have failed 802.1X authentication.

Related Topics

Output Fields
view
clear dot1x

Switch on page 897
show dot1x authentication-failed-users on page 1040

Table 133 on page 1040 lists the output fields for the show dot1x
authentication-failed-users command. Output fields are listed in the approximate order
in which they appear.
Table 133: show dot1x static-mac-address Output Fields

Field Name
Field Description
Level of Output
Interface
The MAC address configured to bypass 802.1X authentication.
all
MAC address
The MAC address configured statically on the interface.
all
User
The user that is configured on the RADIUS server and that has failed 802.1X
authentication.
all
show dot1x
authentication-failed-users
user@switch> show dot1x authentication-failed-users

Interface
ge-0/0/0.0
1040
MAC address
00:00:00:10:00:02
show dot1x authentication-failed-users
User
md5user02

Syntax
Release Information
Description
Options
show dot1x static-mac-address <(interface [interface-name])>

Displays all the static MAC addresses that are configured to bypass 802.1X
authentication on the switch.
interface [ interface-name ](Optional) Display static MAC addresses for a specific
interface.
Related Topics

Output Fields
view
clear dot1x

Switch on page 897

page 879
show dot1x static-mac-address on page 1041

show dot1x static-mac-address interface ge-0/0/0.1 on page 1041
Table 133 on page 1040 lists the output fields for the show dot1x static-mac-address
Table 134: show dot1x static-mac-address Output Fields

Field Name
Field Description
Level of Output
MAC address
The MAC address of the device that is configured to bypass 802.1X

authentication.
all
VLAN-Assignment
The name of the VLAN to which the device is assigned.
all
Interface
The name of the interface on which authentication is bypassed for a given MAC
address.
all
show dot1x
static-mac-address
user@switch> show dot1x static-mac-address

MAC address
00:00:00:11:22:33
00:00:00:00:12:12
00:00:00:02:34:56
show dot1x
static-mac-address
VLAN-Assignment
facilities
Interface
ge-0/0/3.0
ge-0/0/1.0
user@switch> show dot1x static-mac-address interface ge-0/0/0.1

MAC address
VLAN-Assignment
Interface
1041
00:00:00:12:24:12
00:00:00:72:30:58
1042
support
support
ge-0/0/1.0
ge-0/0/1.0

Syntax
Release Information
Description
Options

<brief | detail | summary>

In JUNOS Release 9.6 for EX Series switches, the following updates were made:
Blocking field output updated.
The default view updated to include information about 802.1Q-tags.
The detail view updated to include information VLAN mapping.
Display information about switched Ethernet interfaces.

none(Optional) Display brief information for Ethernet switching interfaces.
brief | detail | summary(Optional) Display the specified level of output.
interface interface-name(Optional) Display Ethernet switching information for a
specific interface.
Related Topics
view

show ethernet-switching interfaces on page 1044

show ethernet-switching interfaces ge-0/0/15 brief on page 1045
show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG
rtggroup) on page 1045
show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP) on page 1045
show ethernet-switching interfaces ge-0/0/17 detail (Disabled by
bpdu-control) on page 1045
show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping) on page 1045
Output Fields
Table 84 on page 721 lists the output fields for the show ethernet-switching interfaces
Table 135: show ethernet-switching interfaces Output Fields

Field Name
Field Description
Level of Output
Interface
Name of a switching interface.
All levels
State
Interface state. Values are up and down.

summary
1043
Table 135: show ethernet-switching interfaces Output Fields (continued)

Field Name
Field Description
Level of Output
VLAN members
Name of a VLAN.

summary
Tag
Number of the 802.1Q-tag.
All levels
Tagging
Specifies whether the interface forwards 802.1Q-tagged or untagged traffic.
All levels
Blocking

summary
Disabled by bpdu controlThe interface is disabled due to receiving BPDUs

on a protected interface. If the disable-timeout statement has been included
in the BPDU configuration, the interface automatically returns to service

after the timer expires.
blocked by RTGThe specified redundant trunk group is disabled.
blocked by STPThe interface is disabled due to a spanning tree protocol
error.
MAC limit exceededThe interface is temporarily disabled due to a MAC
limiting error. The disabled interface is automatically restored to service

when the disable timeout expires.
MAC move limiting error. The disabled interface is automatically restored

to service when the disable timeout expires.
Storm control in effectThe interface is temporarily disabled due to a
storm control error. The disabled interface is automatically restored to

service when the disable timeout expires.
Index
The VLAN index internal to JUNOS Software.
detail
mapping
The C-VLAN to S-VLAN mapping information:
detail
dot1q-tunneledThe interface maps all traffic to the S-VLAN (all-in-one
bundling).
nativeThe interface maps untagged and priority tagged packets to the
S-VLAN.
pushThe interface maps packets to a firewall filter to an S-VLAN.
policy-mappedThe interface maps packets to a specifically defined
S-VLAN.
interfaces
1044
integerThe interface maps packets to the specified S-VLAN.

Interface
State
ae0.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
up
up
up
down
down
down
VLAN members
default
vlan300
default
default
default
default
Tag
300
Tagging
Blocking
untagged unblocked
untagged blocked by RTG (rtggroup)
blocked by STP
MAC limit exceeded
ge-0/0/7.0
ge-0/0/13.0
ge-0/0/14.0
down
up
up
ge-0/0/15.0
up
ge-0/0/16.0
ge-0/0/17.0
down
down
default
default
vlan100
vlan200
vlan100
vlan200
default
vlan100
vlan200
100
untagged
tagged
tagged
tagged
tagged
untagged
tagged
unblocked
unblocked
unblocked
unblocked
blocked by STP
blocked by STP
unblocked
200
tagged
100
200
100
200
brief
user@switch> show ethernet-switching interfaces ge-0/0/15 brief

Interface
State VLAN members
Tag
Tagging
Blocking
interfaces ge-0/0/2
detail (Blocked by RTG
rtggroup)
detail (Blocked by STP)
ge-0/0/15.0
up
vlan100
vlan200
100
200
tagged
tagged
blocked by STP
blocked by STP

VLAN membership:
vlan300, 802.1Q Tag: 300, untagged, msti-id: 0, blocked by RTG(rtggroup)
Interface: ge-0/0/15.0, Index: 70, State: up, Port mode: Trunk

VLAN membership:
detail (Disabled by
bpdu-control)
interfaces detail
(C-VLAN to S-VLAN
Mapping)
user@switch>show ethernet-switching interfaces ge-0/0/6.0 detail

VLAN membership:
map, 802.1Q Tag: 134, Mapped Tag: native, push, dot1q-tunneled, unblocked
map, 802.1Q Tag: 134, Mapped Tag: 20, push, dot1q-tunneled, unblocked
Interface: ge-0/0/17.0, Index: 71, State: down, Port mode: Trunk

VLAN membership:
1045
show lldp
Syntax
Release Information
Description
Options
show lldp
<detail >

Display information about Link Layer Discovery Protocol (LLDP). LLDP is used to
learn and distribute device information on network links.
noneDisplay LLDP information for all interfaces.
detail(Optional) Display detailed LLDP information for all interfaces.

Related Topics

Output Fields
view

877
show lldp on page 1048

show lldp (detail) on page 1049
Table 136 on page 1046 lists the output fields for the show lldp command. Output fields
Table 136: show lldp Output Fields

Field Name
Field Description
Level of Output
LLDP
The LLDP operating state. The state can be enabled or disabled.
All levels
Advertisement Interval
The frequency, in seconds, at which LLDP advertisements are sent. The default
value is 30 seconds.
All levels
Transmit Delay
The delay between two successive LLDP advertisements. The default value is
2 seconds.
All levels
Hold Timer
The multiplier used in combination with the advertisement-interval value to

determine the length of time LLDP information is held before it is discarded.
The default value is 4 (or 120 seconds).
All levels
LLDP-MED
The Link Level Discovery ProtocolMedia Endpoint Discovery (LLDP-MED)

operating state. The state can be enabled or disabled.
All levels
LLDP-MED fast start count
The number of advertisements sent from a switch to a device, such as a VoIP

telephone, when the device is first detected by the switch. These increased
advertisements are temporary. After a device and a switch exchange
information and can communicate, advertisements are reduced to one per
second. The default value is 3. The range is from 1 through 10.
All levels
1046
show lldp
Table 136: show lldp Output Fields (continued)

Field Name
Field Description
Level of Output
LLDP Port Configuration
The LLDP Port Configuration:
All Levels
PortThe port number.
LLDPThe LLDP operating state. The state can be enabled or disabled.
LLDP-MEDThe LLDPMED operating state. The state can be enabled or

disabled.
Neighbor Count(detail) The total number of new LLDP neighbors detected
since the last switch reboot.

LLDP Vlan export details
The LLDP VLAN information that is advertised:
detail
PortThe interface on which LLDP is configured.
Vlan-idThe VLAN tag associated with the interface sending LLDP frames.
If a port is not a member of a VLAN, the VLAN ID is advertised as 0.
NotificationEnabled
LLDP Basic TLVs

Supported
Vlan-nameThe VLAN name associated with the VLAN ID.
The LLDP event notification information:
RReceived .
TTransmitted .
detail
The basic TLVs supported on the switch:
Chassis IdentifierThe MAC address associated with the local system.
Port identifierThe port identification for the specified port in the local
detail
system.
Port DescriptionThe user configured port description. The port
description can be a maximum of 256 characters.
System NameThe user configured name of the local system. The system
name can be a maximum of 256 characters.
System DescriptionThe system description containing information about
the software and current image running on the system. This information
is not configurable, but taken from the software.
System CapabilitiesThe primary function performed by the system. The
capabilities that system supports are defined; for example, bridge or

router. This information is not configurable, but based on the model of
the product.
Management AddressThe IP management address of the local system.
show lldp
1047
Table 136: show lldp Output Fields (continued)

Field Name
Field Description
Level of Output
LLDP 802.3 TLVs

Supported
The 802.3 TLVs supported on the switch:
detail
Power via MDIA TLV that advertises MDI power support, PSE power pair,
and power class information.
MAC/PHY Configuration StatusA TLV that advertises information about
the physical interface, such as autonegotiation status and support and

MAU type. The information is not configurable, but based on the physical
interface structure.
Link AggregationA TLV that advertises if the interface is aggregated and
its aggregated interface ID.
Maximum Frame SizeA TLV that advertises the Maximum Transmission
Unit (MTU) of the interface sending LLDP frames.
Port VlanA TLV that advertises the VLAN name configured on the
interface.
LLDP-MED TLVs Enabled
The LLDP-MED TLVs supported on the switch:
LLDP MED CapabilitiesA TLV that advertises the primary function of the
port. The capabilities values range from 0 through 15:
0 Capabilities
1 Network Policy
2 Location Identification
3 Extended Power via MDI-PSE
4 Inventory
515 Reserved
LLDP-MED Device Class Values:
0 Class not defined.
1 Class 1 Device.
2 Class 2 Device.
3 Class 3 Device.
4 Network Connectivity Device
5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and
associated Layer 2 and Layer 3 attributes. Attributes include the policy

identifier, application types, such as voice or streaming video, 802.1q
VLAN tagging, and 802.1p priority bits and Diffserv code points.
Endpoint Location A TLV that advertises the physical location of the
endpoint.
Extended Power via MDI A TLV that advertises the power type, power
source, power priority, and power value of the port. It is the responsibility
of the PSE device (network connectivity device) to advertise the power
priority on a port.
show lldp
user@host> show lldp

LLDP
Advertisement interval
Transmit Delay
1048
show lldp
: Enabled
: 30 seconds
: 2 seconds
detail
Hold timer
: 120 seconds
LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
----------------All
Enabled
Disabled
ge-0/1/0.0 Enabled
Enabled
ge-0/1/1.0 Enabled
Enabled
ge-0/1/2.0 Enabled
Disabled
ge-0/1/3.0 Enabled
Disabled
ge-0/1/4.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/7.0 Disabled Disabled
show lldp (detail)

LLDP
Advertisement interval
Transmit Delay
Hold timer
:
:
:
:
Enabled
30 seconds
2 seconds
120 seconds
LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
Neighbor count
-----------------------------All
Enabled
Disabled
11
ge-0/1/0.0 Enabled
Enabled
1
ge-0/1/1.0 Enabled
Enabled
2
ge-0/1/2.0 Enabled
Disabled
2
ge-0/1/3.0 Enabled
Disabled
2
ge-0/1/4.0 Enabled
Disabled
2
ge-0/1/5.0 Enabled
Disabled
1
ge-0/1/6.0 Enabled
Disabled
1
ge-0/1/7.0 Disabled Disabled
0
LLDP Vlan export details:

Port
Vlan-id
Vlan-name
-----------------ge-0/0/0.0 100
Voice
ge-0/0/1.0 200
Voice
NotificationEnabled:
------------------R(lldpRemTablesChange),T(lldpXMEDTopologyChangeDetected)
LLDP Basic TLVs Supported:
------------------------Chassis identifier, Port identifier, Port Description , System Name , System
Description, System Capabilities, Management Address.
LLDP 802.3 TLVs Supported:
------------------------Power via MDI, MAC/PHY Configuration Status, Link Aggregation,
Maximum Frame Size, Port Vlan, Port and Protocol Vlan ID,
show lldp
1049
Protocol Identity.
LLDP-MED TLVs Enabled:
--------------------LLDP MED Capabilities, Network Policy, Endpoint Location,
Extended Power Via MDI.
1050
show lldp
show lldp local-info

Syntax
Release Information
Description
Options
Related Topics

Output Fields

Displays learned information about Link Layer Discovery Protocol (LLDP) on local
interfaces.
noneDisplay learned LLDP information on all local interfaces and devices.
view

877
show lldp local-info on page 1051

Table 137 on page 1051 lists the output fields for the show lldp local-info command.
Table 137: show lldp local-info Output Fields

Field Name
Field Description
Level of Output
LLDP Local MIB

Details
LLDP local details:
All levels
Chassis ID The MAC address associated with the local system.
System name The user configured name of the local system.
Sytem descr The system description containing information about the
software and current image running on the system. This information is

not configurable, but taken from the software.
Interface NameThe name of the interface.
Interface IDThe port component of the MAC Service Access Point (MSAP)
identified associated with the transmitting LLDP agent.
Interface DescrThe port description. The port description is the value

entered at the [edit interfaces interface-name unit unit-number description ]
hierarchy level.
user@host> show lldp local-info

LLDP Local MIB details
---------------------Chassis ID
: 00:19:e2:50:4a:c0
System name : sw-java-u
System descr : Juniper Networks, Inc. olive internet router, Version
8.5I0 [mgprasad] Build date: 2007-08-02 22:00:31 UTC
Interface Name
Interface ID
Interface Descr
1051
-------------ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
1052
-----------18
27
13
--------------Avaya Port
Port for Hub
show lldp neighbors

Syntax
Release Information
Description
Options
show lldp neighbors

<interface interface-ids>

Display learned information about Link Layer Discovery Protocol (LLDP) on all
neighboring interfaces or on selected interfaces.
noneDisplay learned LLDP information on all neighboring interfaces and devices.
interface interface-ids(Optional) Display learned LLDP information on the selected
interface or device.
Related Topics

Output Fields
view

877
show lldp neighbors on page 1054

show lldp neighbors interface ge-0/0/4.0 on page 1055
Table 138 on page 1053 lists the output fields for the show lldp neighbors command.
Table 138: show lldp neighbors Output Fields

Field Name
Field Description
Level of Output
LLDP Remote Devices

Information
LLDP Remote devices information:
All levels
LocalPortThe local port number.
ChassisIdThe MAC address associated with the local system.
PortInfoPort Info is either PortID or PortDescr, whichever is available.
PortID: The port identification associated with the transmitting
LLDP agent.
PortDescr: The user-configured port description. Port description can
be a maximum of 256 characters.
SysName: The user-configured name of the local system. System name
can be a maximum of 256 characters.

index
Juniper Networks internal index.
interface level
Time to Live
The age of the information propagated in LLDP frames. Time to live (TTL) value
is between 0 and 65,535 seconds.
interface level
Time mark
Time filter for an entry.
interface level
show lldp neighbors
1053
Table 138: show lldp neighbors Output Fields (continued)

Field Name
Field Description
Level of Output
Chassis type
The value used to identify a chassis. For an EX Series switch, this is the MAC
address. However, this value is vendor-specific. The value for chassis type is
used by LLDP to identify a device.
interface level
Port type
The neighbor's unique SNMP index for a port.
interface level
System descr
The system description containing information about the software and current
image running on the system. This information is not configurable, but taken
from the software.
interface level
System capabilities
The primary function performed by the system. The capabilities that the system
supports are defined; for example, bridge. This information is not configurable,
but based on the model of the product.
interface level
Remote Management
Address
Supported The capabilities the system supports.
Enabled The capabilities enabled on the system.
The IPV4 management address of the system.
interface level
TypeThe possible management address subtypes; for example IPv4,
802 media.
MED Information
Detail
AddressThe management address of the subtype system.
The LLDP MED Information:
interface level
EndpointClass: A set of mandatory and optional TLVs . There are three
classes:
Class 1 (Generic Endpoints) Apply to all endpoints that require base
LLDP discovery services.

Class 2 (Media Endpoint ) Apply to endpoints that have IP Media
Capabilities.
Class 3 (Communication Endpoint ) Apply to endpoints that support
IP Media (IP Phones, and so on).
Media Policy Vlan Id The configured VLAN ID for an application type
running on a port.
Media Policy Priority The media policy priority, defined in the VLAN tag,
to mark a packet with priority.
Media Policy Dscp The DSCP prioritization, used if an untagged VLAN is
advertised.
Media Policy Tagged Set based on the VLAN (tagged or untagged) used
by an application type.
show lldp neighbors
user@switch> show lldp neighbors

LLDP Remote Devices Information
LocalPort
--------ge-0/0/0.0
ge-0/0/1.0
ge-0/0/1.0
1054
show lldp neighbors
ChassisId
--------10.209.192.12
10.209.192.12
10.209.192.13
PortInfo
SysName
--------------00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 81 AVA4C357E
ge-0/0/3.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
show lldp neighbors

00
00
00
00
00
00
19
19
19
19
19
19
bb
bb
bb
bb
bb
bb
20
20
20
20
20
20
de
de
de
de
de
de
79
80
79
80
81
82
5
3
5
3
ge-0/0/3
ge-0/0/4
apg-hp1
apg-hp1
apg-hp1
apg-hp1
Ball1
Ball2
user@switch>show lldp neighbors interface ge-0/0/4.0

LLDP Remote Device Information Detail
Index 6 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port
: ge-0/0/4.0
ChassisType
: mac-address
ChassisId
: 00 19 bb 20 de 80
PortType
: local
PortId
: 3
SysName
: apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr
: 3
.
.
.
System Capabilities Supported
System Capabilities Enabled
: bridge, router
: bridge
Remote Management Address

Type
: ipv4
Address : 10.204.34.35
Index 7 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port
: ge-0/0/4.0
ChassisType
: mac-address
ChassisId
: 00 19 bb 20 de 79
PortType
: local
PortId
: 5
SysName
: apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr
: 3
.
.
.
System Capabilities Supported
System Capabilities Enabled
: bridge, router
: bridge
Remote Management Address

Type
: ipv4
Address : 10.204.34.35
show lldp neighbors
1055
show lldp statistics

Syntax
Release Information
Description
Options

<interface interface-ids>

Display LLDP statistics on all or selected interfaces.
noneDisplay LLDP statistics on all interfaces and devices.
interface interface-ids(Optional) Display LLDP statistics on the selected devices.

Output Fields
view
show lldp statistics on page 1056
show lldp statistics interface ge-0/1/1.0 on page 1056
Table 96 on page 753 lists the output fields for the show lldp statistics command.
Table 139: show lldp statistics Output Fields

Field Name
Field Description
Level of Output
Interface
Name of an interface.
All levels
Received
The total number of LLDP frames received on an interface.
All levels
Transmitted
The total number of LLDP frames transmitted on an interface.
All levels
Unknown-TLVs
The number of unrecognized LLDP TLVs received on an interface.
All levels
With-Errors
The number of invalid LLDP TLVs received on an interface.
All levels
Discarded
The number of LLDP TLVs received and then discarded on an interface.
All levels
user@switch> show lldp statistics

Interface
--------ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
ge-0/1/4.0
ge-0/1/5.0
ge-0/1/6.0
ge-0/1/7.0

1056
Received
-------544
540
544
544
544
544
0
Transmitted
---------540
500
540
540
540
540
0
Unknown-TLVs
-----------0
0
0
0
0
0
0
With-Errors
----------0
0
0
0
0
0
0
user@switch> show lldp statistics interface ge-0/1/1.0
Discarded
--------0
0
0
0
0
0
0
Interface
--------ge-0/1/1.0
Received
-------544
Transmitted
---------540
Unknown-TLVs
-----------0
With-Errors
----------0
Discarded
--------0
1057
show network-access aaa statistics accounting

Syntax
Release Information
Description
Related Topics

Output Fields

Display authentication, authorization, and accounting (AAA) accounting statistics.
view
accounting-server
show network-access aaa statistics accounting on page 1058

Table 140 on page 1058 lists the output fields for the show network-access aaa statistics
accounting command. Output fields are listed in the approximate order in which they
appear.
Table 140: show network-access aaa statistics accounting Output Fields

Field Name
Field Description
Requests received
The number of accounting-request packets sent from a switch to a RADIUS accounting server.
Accounting Response
failures
The number of accounting-response failure packets sent from the RADIUS accounting server to the
switch.
Accounting Response
Success
The number of accounting-response success packets sent from the RADIUS accounting server to the
switch.
Requests timedout
The number of requests-timedout packets sent from the RADIUS accounting server to the switch.
show network-access
aaa statistics
accounting
1058
user@switch> show network-access aaa statistics accounting

Accounting module statistics
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0

Syntax
Release Information
Description
Related Topics

Output Fields

Display authentication, authorization, and accounting (AAA) authentication statistics.
view

page 883
show network-access aaa statistics authentication on page 1059

authentication command. Output fields are listed in the approximate order in which
they appear.
Table 141: show network-access aaa statistics authentication Output Fields

Field Name
Field Description
Requests received
The number of authentication requests received by the switch.
Accepts
The number of authentication accepts received by the RADIUS server.
Rejects
The number authentication rejects sent by the RADIUS server.
Challenges
The number of authentication challenges sent by the RADIUS server.
show network-access
aaa statistics
authentication
user@switch> show network-access aaa statistics authentication

Authentication module statistics
Accepts: 1
Rejects: 0
Challenges: 1
1059
show network-access aaa statistics dynamic-requests

Syntax
Release Information
Description

Related Topics

Output Fields
show network-access aaa statistics dynamic-requests;

Display authentication, authorization, and accounting (AAA) authentication statistics
for disconnects.
view

page 883
show network-access aaa statistics authentication on page 1060

dynamic-requests command. Output fields are listed in the approximate order in
which they appear.
Table 142: show network-access aaa statistics dynamic-requests Output Fields

Field Name
Field Description
Requests received
The number of dynamic requests received by the RADIUS server.
Processed
successfully
The number of dynamic requests successfully processed by the RADIUS server.
Errors during
processing
The number of errors that occurred while the RADIUS server was processing the dynamic request.
Silently dropped
The number of silently dropped requests.
show network-access
aaa statistics
authentication
1060
user@switch> show network-access aaa statistics dynamic-requests

Dynamic-requests module statistics
Processed successfully: 0
Errors during processing: 0
Silently dropped: 0
show network-access aaa statistics dynamic-requests
Part 12
Port Security
Understanding Port Security on page 1063
Examples of Configuring Port Security on page 1087
Configuring Port Security on page 1149
Verifying Port Security on page 1179
Troubleshooting Port Security on page 1193
Configuration Statements for Port Security on page 1195
Operational Mode Commands for Port Security on page 1233
Port Security
1061
1062
Port Security
Chapter 55
Understanding How to Protect Access Ports on EX Series Switches from Common

Attacks on page 1065
Understanding DHCP Snooping for Port Security on EX Series

Understanding DAI for Port Security on EX Series Switches on page 1074
Understanding Trusted DHCP Servers for Port Security on EX Series

Understanding DHCP Option 82 for Port Security on EX Series

Understanding IP Source Guard for Port Security on EX Series

Port Security for EX Series Switches Overview

Ethernet LANs are vulnerable to attacks such as address spoofing (forging) and Layer
2 denial of service (DoS) on network devices. Port security features help protect the
access ports on your switch against the losses of information and productivity that
can result from such attacks.
Juniper Networks JUNOS Software on Juniper Networks EX Series Ethernet Switches
provides features to help secure ports on the switch. The ports can be categorized
as either trusted or untrusted. You apply policies appropriate to those categories to
protect against various types of attacks.
Port security features can be turned on to obtain the most robust port security level.
Basic port security features are enabled in the switch's default configuration. You
can configure additional features with minimal configuration steps.
1063
Port security features on EX Series switches are:
Related Topics
1064
DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted

ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database). You enable this feature on VLANs.
Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests

and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons. You
enable this feature on VLANs.
MAC limitingProtects against flooding of the Ethernet switching table (also

known as the MAC forwarding table or Layer 2 forwarding table). You enable
this feature on access interfaces (ports).
MAC move limitingDetects MAC movement and MAC spoofing on access ports.
You enable this feature on VLANs.
Trusted DHCP serverWith a DHCP server on a trusted port, protects against

rogue DHCP servers sending leases. You enable this feature on interfaces (ports).
By default, access ports are untrusted and trunk ports are trusted. (Access ports
are the switch ports that connect to Ethernet endpoints such as user PCs and
laptops, servers, and printers. Trunk ports are the switch ports that connect to
other Ethernet switches or to routers.)
IP source guardMitigates the effects of IP address spoofing attacks on the

Ethernet LAN. You enable this feature on VLANs. With IP source guard enabled,
the source IP address in the packet sent from an untrusted access interface is
validated against the source MAC address in the DHCP snooping database. The
packet is allowed for further processing if the source IP address to source MAC
address binding is valid; if the binding is not valid, the packet is discarded.
DHCP option 82Also known as the DHCP relay agent information option. Helps
protect the EX Series switch against attacks such as spoofing of IP addresses and
MAC addresses and DHCP IP address starvation. Option 82 provides information
about the network location of a DHCP client, and the DHCP server uses this
information to implement IP addresses or other parameters for the client.
Unrestricted proxy ARPFor additional access port security on EX Series

switches, you can choose to use unrestricted proxy Address Resolution Protocol
(ARP). With unrestricted proxy ARP, hosts cannot communicate directly with
one another. Instead all communications must go through the switch. If you
enable proxy ARP on an EX Series switch, the mode is unrestricted by default
(that is the only mode supported) and it applies globally to all interfaces on the
switch. The switch responds to any ARP request on condition that the switch
has an active route to the destination address.
Understanding DHCP Snooping for Port Security on EX Series Switches on page

1067
Understanding IP Source Guard for Port Security on EX Series Switches on page

1082
Chapter 55: Understanding Port Security

1078


Attacks
Port security features can protect the Juniper Networks EX Series Ethernet Switch
against various types of attacks. Protection methods against some common attacks
are:
Mitigation of Ethernet Switching Table Overflow Attacks on page 1065
Mitigation of Rogue DHCP Server Attacks on page 1065
Protection Against ARP Spoofing Attacks on page 1066
Protection Against DHCP Snooping Database Alteration Attacks on page 1066
Protection Against DHCP Starvation Attacks on page 1066
Mitigation of Ethernet Switching Table Overflow Attacks

In an overflow attack on the Ethernet switching table, an intruder sends so many
requests from new MAC addresses that the table cannot learn all the addresses. When
the switch can no longer use information in the table to forward traffic, it is forced
to broadcast messages. Traffic flow on the switch is disrupted, and packets are sent
to all hosts on the network. In addition to overloading the network with traffic, the
attacker might also be able to sniff that broadcast traffic.
To mitigate such attacks, configure both a MAC limit for learned MAC addresses and
some specific allowed MAC addresses. Use the MAC limit feature to control the total
number of MAC addresses that can be added to the Ethernet switching table for the
specified interface or interfaces. By setting the MAC addresses that are explicitly
allowed, you ensure that the addresses of network devices whose network access is
critical are guaranteed to be included in the Ethernet switching table. See Example:
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect
the Switch from Ethernet Switching Table Overflow Attacks on page 1094.
Mitigation of Rogue DHCP Server Attacks

If an attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server
on the LAN, the rogue server can start issuing leases to the network's DHCP clients.
The information provided to the clients by this rogue server can disrupt their network
access, causing DoS. The rogue server might also assign itself as the default gateway
device for the network. The attacker can then sniff the network traffic and perpetrate
a man-in-the-middle attackthat is, it misdirects traffic intended for a legitimate
network device to a device of its choice.
Understanding How to Protect Access Ports on EX Series Switches from Common Attacks
1065
To mitigate a rogue DHCP server attack, set the interface to which that rogue server
is connected as untrusted. That action will block all ingress DHCP server messages
from that interface. See Example: Configuring a DHCP Server Interface as Untrusted
to Protect the Switch from Rogue DHCP Server Attacks on page 1098.
Protection Against ARP Spoofing Attacks

In ARP spoofing, an attacker sends faked ARP messages on the network. The attacker
associates its own MAC address with the IP address of a network device connected
to the switch. Any traffic sent to that IP address is instead sent to the attacker. Now
the attacker can create various types of mischief, including sniffing the packets that
were meant for another host and perpetrating man-in-the middle attacks. (In a
man-in-the-middle attack, the attacker intercepts messages between two hosts, reads
them, and perhaps alters them, all without the original hosts knowing that their
communications have been compromised. )
To protect against ARP spoofing on your switch, enable both DHCP snooping and
dynamic ARP inspection (DAI). DHCP snooping builds and maintains the DHCP
snooping table. That table contains the MAC addresses, IP addresses, lease times,
binding types, VLAN information, and interface information for the untrusted
interfaces on the switch. DAI uses the information in the DHCP snooping table to
validate ARP packets. Invalid ARP packets are blocked.
See Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 1105.
Protection Against DHCP Snooping Database Alteration Attacks

In an attack designed to alter the DHCP snooping database, an intruder introduces
a DHCP client on one of the switch's untrusted access interfaces that has a MAC
address identical to that of a client on another untrusted port. The intruder acquires
the DHCP lease, which results in changes to the entries in the DHCP snooping table.
Subsequently, what would have been valid ARP requests from the legitimate client
are blocked.
To protect against this type of alteration of the DHCP snooping database, configure
MAC addresses that are explicitly allowed on the interface. See Example: Configuring
Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database
Alteration Attacks on page 1109.
Protection Against DHCP Starvation Attacks

In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses so that the switch's trusted DHCP servers
cannot keep up with requests from legitimate DHCP clients on the switch. The address
space of those servers is completely used up, so they can no longer assign IP addresses
and lease times to clients. DHCP requests from those clients are either droppedthat
is, the result is a denial of service (DoS)or directed to a rogue DHCP server set up
by the attacker to impersonate a legitimate DHCP server on the LAN.
To protect the switch from DHCP starvation attacks, use the MAC limiting feature.
Specify the maximum number of MAC addresses that the switch can learn on the
1066
Understanding How to Protect Access Ports on EX Series Switches from Common Attacks
access interfaces to which those clients connect. The switch's DHCP server or servers
will then be able to supply the specified number of IP addresses and leases to those
clients and no more. If a DHCP starvation attack occurs after the maximum number
of IP addresses has been assigned, the attack will fail. See Example: Configuring
MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 1101.
Related Topics

1067
Understanding Trusted DHCP Servers for Port Security on EX Series Switches

on page 1078
Configuring Port Security (J-Web Procedure) on page 1151
Understanding DHCP Snooping for Port Security on EX Series Switches

DHCP snooping allows the switch to monitor and control DHCP messages received
from untrusted devices connected to the switch. When DHCP snooping is enabled,
the system builds and maintains a database of valid IP-address/MAC-address (IP-MAC)
bindings called the DHCP snooping database.
DHCP Snooping Basics on page 1067
Persistence of IP-MAC Bindings on page 1068
DHCP Snooping Process on page 1068
DHCP Server Access on page 1069
DHCP Snooping Table on page 1073
Static IP Address Additions to the DHCP Snooping Database on page 1073
DHCP Snooping Basics

Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically,
leasing addresses to devices so that the addresses can be reused when no longer
needed. Hosts and end devices that require IP addresses obtained through DHCP
must communicate with a DHCP server across the LAN. Juniper Networks JUNOS
Software for Juniper Networks EX Series Ethernet Switches provides the option to
apply all access-port security features by VLAN or by port (interface).
DHCP snooping acts as a guardian of network security by keeping track of valid IP
addresses assigned to downstream network devices by a trusted DHCP server (the
server is connected to a trusted network port).
DHCP snooping reads the lease information from the switch (which is a DHCP client)
and from this information creates the DHCP snooping database. This database is a
mapping between IP address and VLANMAC-address pair. For each
VLANMAC-address pair, the database stores the corresponding IP address.
1067
When a DHCP client releases an IP address (sends a DHCPRELEASE message), the

associated mapping entry is deleted from the database.
You can configure the switch to snoop DHCP server responses only from particular
VLANs. Doing this prevents spoofing of DHCP server messages.
By default, all trunk ports on the switch are trusted and all access ports are untrusted
for DHCP snooping. You can modify these defaults on each of the switch's interfaces.
You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
If you move a network device from one VLAN to another, typically the device has to
acquire a new IP address, so its entry in the database, including the VLAN ID, is
updated.
The Ethernet switching process, ESWD, maintains the timeout (lease time) value for
each IP-MAC binding in its database. The lease time is assigned by the DHCP server.
The software reads the DHCP messages to obtain the lease time and deletes the
associated entry from the database when the lease time expires.
Persistence of IP-MAC Bindings

By default, the IP-MAC bindings are lost when the switch is rebooted. The DHCP
clients (the network devices, or hosts) must reacquire bindings. However, you can
configure the bindings to persist by setting the dhcp-snooping-file statement to store
the database file either locally or remotely. See dhcp-snooping-file.
DHCP Snooping Process

The basic process of DHCP snooping is shown in Figure 57 on page 1069.
1068
Figure 57: DHCP Snooping
For general information about the messages that the DHCP client and DHCP server
exchange during the assignment of an IP address for the client, see the JUNOS Software
System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos95/index.html..
DHCP Server Access

Switch access to the DHCP server can be configured in three ways:
Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN on page 1069
Switch Acts as DHCP Server on page 1071
Switch Acts as Relay Agent on page 1072
Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN
When the switch, DHCP clients, and DHCP server are all members of the same VLAN,
the DHCP server can be connected to the switch in one of two ways:
The server is directly connected to the same switch as the one connected to the
DHCP clients (the hosts, or network devices, that are requesting IP addresses
from the server). You must configure the port that connects the server to the
switch as a trusted port. See Figure 58 on page 1070.
The server is directly connected to a switch that is itself directly connected

through a trunk port to the switch that the DHCP clients are connected to. The
1069
trunk port is configured by default as a trusted port. The switch that the DHCP
server is connected to is not configured for DHCP snooping. See Figure 59 on
page 1071in the figure, ge-0/0/11 is a trusted trunk port.
Figure 58: DHCP Server Connected Directly to Switch
1070
Figure 59: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to
Switch 1 Through a Trusted Trunk Port
Switch Acts as DHCP Server

The switch itself is configured as a DHCP server; this is known as a local
configuration. See Figure 60 on page 1072.
1071
Figure 60: Switch Is the DHCP Server
Switch Acts as Relay Agent

The switch functions as a relay agent when the DHCP clients or the DHCP server is
connected to the switch through a Layer 3 interface (on the switch, these interfaces
are configured as routed VLAN interfaces, or RVIs). These trunk interfaces are trusted
by default.
These two scenarios illustrate the switch acting as a relay agent:
1072
The DHCP server and clients are in different VLANs.
The switch is connected to a router that is in turn connected to the DHCP server.
See Figure 61 on page 1073.
Figure 61: Switch Acting as Relay Agent Through Router to DHCP Server
DHCP Snooping Table

The software creates a DHCP snooping information table that displays the content
of the DHCP snooping database. The table shows current IP-MAC bindings, as well
as lease time, type of binding, names of associated VLANs, and associated interface.
To view the table, type show dhcp snooping binding at the operational mode prompt:
user@switch> show dhcp snooping
DHCP Snooping Information:
MAC address
IP address
00:05:85:3A:82:77 192.0.2.17
00:05:85:3A:82:79 192.0.2.18
00:05:85:3A:82:80 192.0.2.19
binding
Lease (seconds)
600
653
720
Type
dynamic
dynamic
dynamic
VLAN
employee
employee
employee
Interface
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
Static IP Address Additions to the DHCP Snooping Database

You can add specific static IP addresses to the database as well as have the addresses
dynamically assigned through DHCP snooping. To add static IP addresses, you supply
the IP address, the MAC address of the device, the interface on which the device is
connected, and the VLAN with which the interface is associated. No lease time is
assigned to the entry. The statically configured entry never expires.
Related Topics

on page 1078
1073

1078
DHCP/BOOTP Relay for EX Series Switches Overview on page 764
Enabling DHCP Snooping (CLI Procedure) on page 1154 and Enabling DHCP
Snooping (J-Web Procedure) on page 1155
Understanding DAI for Port Security on EX Series Switches

Dynamic ARP inspection (DAI) protects Juniper Networks EX Series Ethernet Switches
against ARP spoofing.
DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping
database on the switch to validate ARP packets and to protect against ARP cache
poisoning. ARP requests and replies are compared against entries in the DHCP
snooping database, and filtering decisions are made based on the results of those
comparisons. When an attacker tries to use a forged ARP packet to spoof an address,
the switch compares the address to entries in the database. If the MAC address or
IP address in an ARP packet does not match a valid entry in the DHCP snooping
database, the packet is dropped.
ARP packets are trapped to the Routing Engine and are rate-limited to protect the
switch from CPU overload.
Address Resolution Protocol on page 1074
ARP Spoofing on page 1074
DAI on EX Series Switches on page 1075
Address Resolution Protocol

Sending IP packets on a multiaccess network requires mapping an IP address to an
Ethernet media access control (MAC) address.
Ethernet LANs use Address Resolution Protocol (ARP) to map MAC addresses to IP
addresses.
The switch maintains this mapping in a cache that it consults when forwarding
packets to network devices. If the ARP cache does not contain an entry for the
destination device, the host (the DHCP client) broadcasts an ARP request for that
device's address and stores the response in the cache.
ARP Spoofing
ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to
initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the
MAC address of another device on the LAN. Instead of the switch sending traffic to
1074
the proper network device, it sends it to the device with the spoofed address that is
impersonating the proper device. If the impersonating device is the attacker's
machine, the attacker receives all the traffic from the switch that should have gone
to another device. The result is that traffic from the switch is misdirected and cannot
reach its proper destination.
One type of ARP spoofing is gratuitous ARP, which is when a network device sends
an ARP request to resolve its own IP address. In normal LAN operation, gratuitous
ARP messages indicate that two devices have the same MAC address. They are also
broadcast when a network interface card (NIC) in a device is changed and the device
is rebooted, so that other devices on the LAN update their ARP caches. In malicious
situations, an attacker can poison the ARP cache of a network device by sending an
ARP response to the device that directs all packets destined for a certain IP address
to go to a different MAC address instead.
To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX Series switches examine ARP responses through DAI.
DAI on EX Series Switches

DAI examines ARP requests and responses on the LAN and validates ARP packets.
The switch intercepts ARP packets from an access port and validates them against
the DHCP snooping database. If no IP-MAC entry in the database corresponds to the
information in the ARP packet, DAI drops the ARP packet and the local ARP cache
is not updated with the information in that packet. DAI also drops ARP packets when
the IP address in the packet is invalid.
Juniper Networks JUNOS Software for EX switches uses DAI for ARP packets received
on access ports because these ports are untrusted by default. Trunk ports are trusted
by default, so ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is
disabled for all VLANs. You can set an interface to be trusted for ARP packets by
setting dhcp-trusted on that port.
For packets directed to the switch to which a network device is connected, ARP
queries are broadcast on the VLAN. The ARP responses to those queries are subjected
to the DAI check.
For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU
overloading, ARP packets destined for the Routing Engine are rate-limited.
If the DHCP server goes down and the lease time for an IP-MAC entry for a previously
valid ARP packet runs out, that packet is blocked.
Related Topics

1067
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX Series

Switch with Access to a DHCP Server Through a Second Switch on page 1112
1075
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 1105
Enabling Dynamic ARP Inspection (CLI Procedure) on page 1163
Enabling Dynamic ARP Inspection (J-Web Procedure) on page 1164
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series
Switches
MAC limiting protects against flooding of the Ethernet switching table (also known
as the MAC forwarding table or Layer 2 forwarding table). You enable this feature
on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing
on access interfaces. You enable this feature on VLANs.
MAC Limiting on page 1076
MAC Move Limiting on page 1076
Actions for MAC Limiting and MAC Move Limiting on page 1077
MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 1077
MAC Limiting
MAC limiting sets a limit on the number of MAC addresses that can be learned on a
single Layer 2 access interface or on all the Layer 2 access interfaces on the switch.
JUNOS Software provides two MAC limiting methods:
Maximum number of MAC addressesYou configure the maximum number of

dynamic MAC addresses allowed per interface. When the limit is exceeded,
incoming packets with new MAC addresses are treated as specified by the
configuration. The incoming packets with new MAC addresses can be ignored,
dropped, logged, or the interface can be shut down or temporarily disabled.
Allowed MACYou configure specific allowed MAC addresses for the access
interface. Any MAC address that is not in the list of configured addresses is not
learned and the switch logs the message. Allowed MAC binds MAC addresses to
a VLAN so that the address does not get registered outside the VLAN. If an allowed
MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes
precedence.
NOTE: If you do not want the switch to log messages received for invalid MAC
addresses on an interface that has been configured for specific allowed MAC
addresses, you can disable the logging by configuring the no-allowed-mac-log statement.
MAC Move Limiting

MAC move limiting causes the switch to track the number of times a MAC address
can move to a new interface (port). It can help to prevent MAC spoofing, and it can
also detect and prevent loops.
1076
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
If a MAC address moves more than the configured number of times within one
second, the switch performs the configured action. You can configure MAC move
limiting to apply to all VLANs or to a specific VLAN.
Actions for MAC Limiting and MAC Move Limiting

You can choose to have one of the following actions performed when the limit of
MAC addresses or the limit of MAC moves is exceeded:
dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry. This is the default.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
noneTake no action.
shutdownDisable the interface and generate an alarm. If you have configured

the switch with the port-error-disable statement, the disabled interface recovers
automatically upon expiration of the specified disable timeout. If you have not
configured the switch for autorecovery from port error disabled conditions, you
can bring up the disabled interfaces by running the clear ethernet-switching
port-error command.
See descriptions of results of these various action settings in Verifying That MAC
Limiting Is Working Correctly on page 1183.
If you have set a MAC limit to apply to all interfaces on the switch, you can override
that setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI
MAC Addresses That Exceed the MAC Limit or MAC Move Limit
If you have configured the port-error-disable statement, you can view which interfaces
are temporarily disabled due to exceeding the MAC limit or MAC move limit in the
output for the show ethernet-switching interfaces command.
The log messages that indicate the MAC limit or MAC move limit has been exceeded
include the offending MAC addresses that have exceeded the limit. See
Troubleshooting Port Security on page 1193 for details.
Related Topics

Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
on page 1094
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Configuring MAC Limiting (J-Web Procedure) on page 1167
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
1077

no-allowed-mac-log

Any interface on the switch that connects to a DHCP server can be configured as a
trusted port. Configuring a DHCP server on a trusted port protects against rogue
DHCP servers sending leases.
Ensure that the DHCP server interface is physically securethat is, that access to
the server is monitored and controlled at the sitebefore you configure the port as
trusted.
Related Topics

1067
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 1098
Enabling a Trusted DHCP Server (CLI Procedure) on page 1156
Enabling a Trusted DHCP Server (J-Web Procedure) on page 1156
Understanding DHCP Option 82 for Port Security on EX Series Switches

You can use DHCP option 82, also known as the DHCP relay agent information
option, to help protect the switch against attacks such as spoofing (forging) of IP
addresses and MAC addresses, and DHCP IP address starvation. Hosts on untrusted
access interfaces on Ethernet LAN switches send requests for IP addresses in order
to access the Internet. The switch forwards or relays these requests to DHCP servers,
and the servers send offers for IP address leases in response. Attackers can use these
messages to perpetrate address spoofing and starvation.
Option 82 provides information about the network location of a DHCP client, and
the DHCP server uses this information to implement IP addresses or other parameters
for the client. The Juniper Networks JUNOS Software implementation of DHCP
option 82 supports RFC 3046, DHCP Relay Agent Information Option, at
http://tools.ietf.org/html/rfc3046.
This topic covers:
1078
DHCP Option 82 Processing on page 1079
Suboption Components of Option 82 on page 1079
Configurations of the EX Series Switch That Support Option 82 on page 1080
DHCP Option 82 Processing

If DHCP option 82 is enabled on the switch, then when a network devicea DHCP
clientthat is connected to the switch on an untrusted interface sends a DHCP
request, the switch inserts information about the client's network location into the
packet header of that request. The switch then sends the request to the DHCP server.
The DHCP server reads the option 82 information in the packet header and uses it
to implement the IP address or another parameter for the client. See Suboption
Components of Option 82 on page 1079 for details about option 82 information.
You can enable DHCP option 82 on a single VLAN or on all VLANs on the switch.
You can also configure it on Layer 3 interfaces (in routed VLAN interfaces, or RVIs)
when the switch is functioning as a relay agent.
When option 82 is enabled on the switch, then this sequence of events occurs when
a DHCP client sends a DHCP request:
1.
The switch receives the request and inserts the option 82 information in the
packet header.
2.
The switch forwards or relays the request to the DHCP server.
3.
The server uses the DHCP option 82 information to formulate its reply and sends
a response back to the switch. It does not alter the option 82 information.
4.
The switch strips the option 82 information from the response packet.
5.
The switch forwards the response packet to the client.
NOTE: To use the DHCP option 82 feature, you must ensure that the DHCP server
is configured to accept option 82. If it is not configured to accept option 82, then
when it receives requests containing option 82 information, it does not use the
information in setting parameters and it does not echo the information in its response
message. For detailed information about configuring DHCP services, see the JUNOS
Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos93/index.html. The configuration
for DHCP service on the Juniper Networks EX Series Ethernet Switch includes the
dhcp statement at the [edit system services] hierarchy level.
Suboption Components of Option 82

Option 82 as implemented on the EX Series switch comprises the suboptions circuit
ID, remote ID, and vendor ID. These suboptions are fields in the packet header:
circuit IDIdentifies the circuit (interface and/or VLAN) on the switch on which
the request was received. The circuit ID contains the interface name and/or VLAN
name, with the two elements separated by a colonfor example,
ge-0/0/10:vlan1, where ge-0/0/10 is the interface name and vlan1 is the VLAN
name. If the request packet is received on a Layer 3 interface, the circuit ID is
just the interface namefor example, ge-0/0/10.
1079
Use the prefix option to add an optional prefix to the circuit ID. If you enable the
prefix option, the hostname for the switch is used as the prefix; for example,
switch1:ge-0/0/10:vlan1, where switch1 is the hostname.
You can also specify that the interface description be used rather than the
interface name and/or that the VLAN ID be used rather than the VLAN name.
remote IDIdentifies the host. By default, the remote ID is the MAC address of
the switch. You can specify that the remote ID be the hostname of the switch,
the interface description, or a character string of your choice. You can also add
an optional prefix to the remote ID.
vendor IDIdentifies the vendor of the host. If you specify the vendor-id option
but do not enter a value, the default value Juniper is used. To specify a value,
you type a character string.
Configurations of the EX Series Switch That Support Option 82

Configurations of the EX Series switch that support option 82 are:
Switch and Clients Are on Same VLAN as DHCP Server on page 1080
Switch Acts as Relay Agent on page 1081
Switch and Clients Are on Same VLAN as DHCP Server

If the DHCP clients, the switch, and the DHCP server are all on the same VLAN, the
switch forwards the requests from the clients on untrusted access interfaces to the
server on a trusted interface. See Figure 62 on page 1080.
Figure 62: DHCP Clients, Switch, and DHCP Server Are All on Same VLAN
1080
For the configuration shown in Figure 62 on page 1080, you set DHCP option 82 at the
[edit ethernet-switching-options secure-access-port vlan] hierarchy level.
Switch Acts as Relay Agent

The switch functions as a relay agent when the DHCP clients or the DHCP server is
connected to the switch through a Layer 3 interface. On the switch, these interfaces
are configured as routed VLAN interfaces, or RVIs. Figure 63 on page 1081 illustrates
a scenario for the switch-as-relay-agent; in this instance, the switch relays requests
through a router to the server.
Figure 63: Switch Relays DHCP Requests to Server
For the configuration shown in Figure 63 on page 1081, you set DHCP option 82 at the
[edit forwarding-options helpers bootp] hierarchy level.
Related Topics

Agent Between Clients and DHCP Server on page 1138

Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients
1081
Understanding IP Source Guard for Port Security on EX Series Switches

Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of
source IP addresses or source MAC addresses. You can use the IP source guard access
port security feature on Juniper Networks EX Series Ethernet Switches to mitigate
the effects of these attacks.
IP Address Spoofing on page 1082
How IP Source Guard Works on page 1082
The IP Source Guard Database on page 1083
Typical Uses of Other JUNOS Software Features with IP Source Guard on page 1083
IP Address Spoofing
Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses
by flooding the switch with packets containing invalid addresses. Such attacks
combined with other techniques such as TCP SYN flood attacks can result in
denial-of-service (DoS) attacks. With source IP address or source MAC address
spoofing, the system administrator cannot identify the source of the attack. The
attacker can spoof addresses on the same subnet or on a different subnet.
How IP Source Guard Works

IP source guard checks the IP source address and MAC source address in a packet
sent from a host attached to an untrusted access interface on the switch against
entries stored in the DHCP snooping database. If IP source guard determines that
the packet header contains an invalid source IP address or source MAC address, it
ensures that the switch does not forward the packetthat is, the packet is discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP
source guard applies its checking rules to packets sent from untrusted access interfaces
on those VLANs. By default, on EX Series switches, access interfaces are untrusted
and trunk interfaces are trusted. IP source guard does not check packets that have
been sent to the switch by devices connected to either trunk interfaces or trusted
access interfacesthat is, interfaces configured as dhcp-trusted so that a DHCP server
can be connected to that interface to provide dynamic IP addresses.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings
from the DHCP snooping database. It causes the switch to validate incoming IP
packets against the entries in that database.
After the DHCP snooping database has been populated either through dynamic DHCP
snooping or through configuration of specific static IP address/MAC address bindings,
the IP source guard feature builds its database. It then checks incoming packets from
access interfaces on the VLANs on which it is enabled. If the source IP addresses and
source MAC addresses match the IP source guard binding entries, the switch forwards
the packets to their specified destination addresses. If there are no matches, the
switch discards the packets.
1082
The IP Source Guard Database

The IP source guard database looks like this:
user@switch> show ip-source-guard
IP source guard information:
Interface
Tag IP Address
MAC Address
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
ge0/0/13.0
100
voice
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.
Typical Uses of Other JUNOS Software Features with IP Source Guard

You can configure IP source guard with various other features on the EX Series switch
to provide access port security, including:
VLAN tagging (used for voice VLANs)
GRES (Graceful Routing Engine switchover)
Virtual Chassis configurations (multiple EX4200 switches that are managed

through a single management interface)
Link-aggregation groups (LAGs)
802.1X user authentication, in single supplicant mode
NOTE: The 802.1X user authentication is applied in one of three modes: single
supplicant, single-secure supplicant, or multiple supplicant. Single supplicant mode
works with IP source guard, but single-secure and multiple supplicant modes do not.
Related Topics

1067
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface

with a Voice VLAN on page 1128
Example: Configuring IP Source Guard with Other EX Series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 1120
1083
Understanding Proxy ARP for Port Security on EX Series Switches

Unrestricted proxy Address Resolution Protocol (ARP) provides security for access
ports (interfaces) on Juniper Networks EX Series Ethernet Switches. When you enable
unrestricted proxy ARP, hosts that are connected to the switchs interfaces cannot
communicate directly with other hosts. Instead all communications between hosts
go through the switch.
What Is ARP? on page 1084
Unrestricted Proxy ARP Overview on page 1084
Why Disable Gratuitous ARP Requests? on page 1084
What Is ARP?
Ethernet LANs use ARP to map Ethernet media access control (MAC) addresses to
IP addresses. The switch maintains this mapping in a cache that it consults when
forwarding packets to network devices. If the ARP cache does not contain an entry
for the destination device, the host (which is the DHCP client) broadcasts an ARP
request for that device's address and stores the response in the cache.
Unrestricted Proxy ARP Overview

If you enable proxy ARP on an EX Series switch, the default mode is unrestricted,
which is the only mode supported, and it applies globally to all interfaces on the
switch. This includes routed VLAN interfaces (RVIs). The switch responds to any ARP
request as long as the switch has an active route to the destination address. The
switch provides its own MAC address in the ARP response, thereby acting as a proxy
for the destination host. The switch forwards subsequent messages from the
requesting host to the appropriate destination host.
Because proxy ARP applies to all the interfaces on the switch, all hosts attached to
the switch receive the switchs MAC address in response to their ARP requests and
all hosts transmit subsequent messages to the switchs MAC address. The switch
routes subsequent messages from the hosts to the appropriate destination addresses.
If you do not enable proxy ARP, the switch responds to an ARP request only if the
IP address of the destination device is configured on the switch.
Why Disable Gratuitous ARP Requests?

If you enable proxy ARP, we recommend that you disable the switchs interfaces
from responding to gratuitous ARP requests.
If you enable proxy ARP and do not disable gratuitous ARP requests, the switch
responds to all ARP requests, including gratuitous ARP requests. When the switch
receives a gratuitous ARP request, the switch might interpret it as an indication of
an IP conflict.
1084
You do not need to disable gratuitous ARP replies. (Updating of the ARP cache for
replies received in response to gratuitous ARP requests is disabled by default on all
Ethernet interfaces.)
Gratuitous ARP is a type of ARP message in which the host broadcasts an ARP request
or reply for its own MAC address:
Gratuitous ARP requestAn ARP request packet in which the source and
destination IP addresses are both set to the IP address of the device issuing the
packet and the destination MAC address is the broadcast address.
Gratuitous ARP replyAn ARP reply sent in the absence of an ARP request.
Some common usages of gratuitous ARP messages are to:
Related Topics
Resolve IP conflict issuesWhen a device receives an ARP request with a source

IP address that matches its own IP address, it detects an IP conflict and sends
an alert by broadcasting a gratuitous ARP message.
Update hardware changesWhen a device receives a gratuitous ARP reply, it

updates its ARP cache, replacing the old MAC address with the new MAC address.
Notify local hosts of a link up eventWhen an IP interface or link goes up, the
interface typically sends a gratuitous ARP reply to preload the ARP tables of other
local hosts. In this case, the gratuitous ARP message indicates that the host has
just had a link up event, such as a machine being rebooted. Multiple gratuitous
ARP replies from the same host might indicate a problem.
Example: Configuring Unrestricted Proxy ARP on an EX Series Switch on page

1142
1085
1086
Chapter 56

Addresses, to Protect the Switch from Ethernet Switching Table Overflow

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 1109





Example: Configuring Unrestricted Proxy ARP on an EX Series Switch on page 1142
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and
MAC Move Limiting, on an EX Series Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting,
and MAC move limiting on the access ports of EX Series switches to protect the
switch and the Ethernet LAN against address spoofing and Layer 2 denial-of-service
(DoS) attacks. You can also configure a trusted DHCP server and specific (allowed)
MAC addresses for the switch interfaces.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX Series Switch
1087
This example describes how to configure basic port security featuresDHCP snooping,
DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and
allowed MAC addresseson a switch. The DHCP server and its clients are all members
of a single VLAN on the switch.
Requirements
A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
Connected the DHCP server to the switch.
Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX Series Switches on page 490.

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
To protect the devices from such attacks, you can configure DHCP snooping to
validate DHCP server messages, DAI to protect against MAC spoofing, and MAC cache
limiting to constrain the number of MAC addresses the switch adds to its MAC address
cache. You can also configure MAC move limiting to help prevent MAC spoofing.
This example shows how to configure these security features on an EX3200-24P
switch. The switch is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX Series Switches on page 490. That procedure is
not repeated here. Figure 64 on page 1089 illustrates the topology for this example.
1088
Requirements
Chapter 56: Examples of Configuring Port Security
Figure 64: Network Topology for Basic Port Security
The components of the topology for this example are shown in Table 143 on page
1089.
Table 143: Components of the Port Security Topology
Properties
Settings
Switch hardware
One EX3200-24P, 24 ports (8 PoE ports)
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
Interface for DHCP server
ge-0/0/8
In this example, the switch is initially configured with the default port security setup.
In the default configuration on the switch:
Secure port access is activated on the switch.
DHCP snooping and DAI are disabled on all VLANs.
All access ports are untrusted and all trunk ports are trusted for DHCP snooping,
which is the default setting.
1089
In the configuration tasks for this example, you set the DHCP server first as untrusted
and then as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a
VLAN; you modify the value for MAC limit; and you configure some specific (allowed)
MAC addresses on an interface.
Configuration
To configure basic port security on a switch whose DHCP server and client ports are
in a single VLAN:
To quickly configure basic port security on the switch, copy the following commands
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 mac-limit 4
set interface ge-0/0/8 dhcp-trusted
set vlan employeevlan arp-inspection
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5
Configure basic port security on the switch:

1.
Enable DHCP snooping on the VLAN:

user@switch# set vlan employee-vlan examine-dhcp
2.
Specify the interface (port) from which DHCP responses are allowed:
user@switch# set interface ge-0/0/8 dhcp-trusted
3.
Enable dynamic ARP inspection (DAI) on the VLAN:

user@switch# set vlan employee-vlan arp-inspection
4.
Configure the MAC limit of 4 and use the default action, drop. (Packets will be
dropped and the MAC address will not be added to the Ethernet switching table
if the MAC limit has been exceeded on the interfaces):
user@switch# set interface ge-0/0/1 mac-limit 4
user@switch# set interface ge-0/0/2 mac-limit 4
5.
1090
Configuration
Configure a MAC move limit of 5 and use the default action, drop. (Packets will
be dropped and the MAC address will not be added to the Ethernet switching
table if a MAC address has exceeded the MAC move limit):

user@switch# set vlan employee-vlan mac-move-limit 5
6.
Configure the allowed MAC addresses:

user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
Results

user@switch# show
mac-limit 4 action drop;
}
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83
00:05:85:3a:82:85 00:05:85:3a:82:88 ];
}
dhcp-trusted;
}
arp-inspection
examine-dhcp;
mac-move-limit 5 action drop;
}
Verification
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 1091
Verifying That DAI Is Working Correctly on the Switch on page 1092
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on
the Switch on page 1093
Verifying That Allowed MAC Addresses Are Working Correctly on the

Switch on page 1094
Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose
Verify that DHCP snooping is working on the switch.
Verification
1091
Action
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding
MAC Address
IP Address
Lease
-----------------------------00:05:85:3A:82:77
192.0.2.17
600
00:05:85:3A:82:79
192.0.2.18
653
00:05:85:3A:82:80
192.0.2.19
720
00:05:85:3A:82:81
192.0.2.20
932
00:05:85:3A:82:83
192.0.2.21
1230
00:05:85:27:32:88
192.0.2.22
3200
Meaning
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).
Verifying That DAI Is Working Correctly on the Switch

Purpose
Action
Verify that DAI is working on the switch.

Send some ARP requests from network devices connected to the switch.
Display the DAI information:
user@switch>
1092
show arp inspection statistics
ARP inspection statistics:

Interface
Packets received
--------------- --------------ge-0/0/1.0
7
ge-0/0/2.0
10
ge-0/0/3.0
12
Meaning
ARP inspection pass

ARP inspection failed
-------------------- --------------------5
2
10
0
12
0
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly
on the Switch
Purpose
Action
Verify that MAC limiting and MAC move limiting are working on the switch.
Suppose that two packets have been sent from hosts on ge-0/0/1 and five packets
from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the default
action drop.
Display the MAC addresses learned:
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Flood
Learn
Learn
Learn
Learn
Learn
Learn
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Now suppose packets have been sent from two of the hosts on ge-0/0/2 after they
have been moved to other interfaces more than 5 times in 1 second, with
employee-vlan set to a MAC move limit of 5 with the default action drop.
Display the MAC addresses in the table:
user@switch>

VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*
Flood
Learn
Learn
Learn
Learn
Flood
Flood
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on the Switch
1093
Meaning
The first sample output shows that with a MAC limit of 4 for each interface, the fifth
MAC address on ge-0/0/2 was not learned because it exceeded the MAC limit. The
second sample output shows that MAC addresses for three of the hosts on ge-/0/0/2
were not learned, because the hosts had been moved back more than 5 times in one
second.
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose
Action
Verify that allowed MAC addresses are working on the switch.

Display the MAC cache information after 5 allowed MAC addresses have been
configured on interface ge-0/0/2:
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
Related Topics
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Learn
Learn
Learn
Learn
Flood
Because the MAC limit value for this interface has been set to 4, only 4 of the 5
configured allowed addresses are learned.



on page 1094
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests
from new MAC addresses that the Ethernet switching table fills up and then overflows,
forcing the switch to broadcast all messages.
1094
This example describes how to configure MAC limiting and allowed MAC addresses,
two port security features, to protect the switch from Ethernet switching table attacks:
Requirements
Before you configure specific port security features to mitigate common

access-interface attacks, be sure you have:


This example describes how to protect the switch from an attack on the Ethernet
switching table that causes the table to overflow and thus forces the switch to
broadcast all messages.
This example shows how to configure port security features on an EX3200-24P
switch. The switch is connected to a DHCP server.
Requirements
1095
1089.
Properties
Settings
Switch hardware
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
ge-0/0/8
In this example, use the MAC limit feature to control the total number of MAC
addresses that can be added to the Ethernet switching table for the specified interface.
Use the allowed MAC addresses feature to ensure that the addresses of network
devices whose network access is critical are guaranteed to be included in the Ethernet
switching table.
In this example, the switch has already been configured as follows:
1096
No MAC limit is set on any of the interfaces.
All access interfaces are untrusted, which is the default setting.
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch
against Ethernet switching table overflow attacks:
To quickly configure MAC limiting and some allowed MAC addresses, copy the
set interface ge-0/0/1 mac-limit 4 action drop
Configure MAC limiting and some allowed MAC addresses:

1.
Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with
different addresses be dropped once the limit is exceeded on the interface:
user@switch# set interface ge-0/0/1 mac-limit 4 action drop
2.
Configure the allowed MAC addresses on ge-0/0/2:

Results

user@switch# show
}
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 ];
}
Verification
Verifying That MAC Limiting Is Working Correctly on the Switch on page 1098
Configuration
1097
Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose
Action
Verify that MAC limiting is working on the switch.

Display the MAC cache information after DHCP requests have been sent from hosts
on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after
four allowed MAC addresses have been configured on interface ge/0/0/2:
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
Related Topics
00:05:85:3A:82:71
00:05:85:3A:82:74
00:05:85:3A:82:77
00:05:85:3A:82:79
*
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Learn
Learn
Learn
Learn
Flood
Learn
Learn
Learn
Learn
Flood
Age
Interfaces
0
0
0
0
0
0
0
0
0
-
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The sample output shows that with a MAC limit of 4 for the interface, the DHCP
request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the
MAC limit and that only the specified allowed MAC addresses have been learned on
the ge-0/0/2 interface.

from Rogue DHCP Server Attacks
In a rogue DHCP server attack, an attacker has introduced a rogue server into the
network, allowing it to give IP address leases to the network's DHCP clients and to
assign itself as the gateway device.
This example describes how to configure a DHCP server interface as untrusted to
protect the switch from a rogue DHCP server:
1098
Requirements
Before you configure an untrusted DHCP server interface to mitigate rogue DHCP
server attacks, be sure you have:
Enabled DHCP snooping on the VLAN.


This example describes how to protect the switch from rogue DHCP server attacks.
This example shows how to explicitly configure an untrusted interface on an
EX3200-24P switch. Figure 64 on page 1089 illustrates the topology for this example.
Requirements
1099
1089.
Properties
Settings
Switch hardware
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is the subnet's broadcast address
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
ge-0/0/8
DHCP snooping is enabled on the VLAN employee-vlan.
The interface (port) where the rogue DHCP server has connected to the switch
is currently trusted.
Configuration
To configure the DHCP server interface as untrusted because the interface is being
used by a rogue DHCP server:
To quickly set the rogue DHCP server interface as untrusted, copy the following
set interface ge-0/0/8 no-dhcp-trusted
Results
To set the DHCP server interface as untrusted:Specify the interface (port) from which
DHCP responses are not allowed:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/8 nodhcp-trusted

user@switch# show
no-dhcp-trusted;
}
1100
Configuration
Verification
Verifying That the DHCP Server Interface Is Untrusted on page 1101
Verifying That the DHCP Server Interface Is Untrusted

Purpose
Action
Verify that DHCP snooping is working on the switch. See what happens when the
DHCP server is untrusted.
Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is not trusted. The following output results when requests are
sent from the MAC addresses but no server has provided IP addresses and leases:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-
Meaning
Related Topics
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
Interface
-----------employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
In the sample output from the database, the clients' MAC addresses are shown with
no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and
no leases (the lease time is shown as a dash in the Lease column).
Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or
servers cannot keep up with the requests and can no longer assign IP addresses and
lease times to legitimate DHCP clients on the switch. Requests from those clients
are either dropped or directed to a rogue DHCP server set up by the attacker.
Verification
1101
This example describes how to configure MAC limiting, a port security feature, to
protect the switch against DHCP starvation attacks:
Requirements
Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation
attacks, be sure you have:


This example describes how to protect the switch against one common type of attack,
a DHCP starvation attack.
This example shows how to configure port security features on an EX3200-24P switch
that is connected to a DHCP server.
1102
Requirements
1089.
Properties
Settings
Switch hardware
VLAN name and ID
default
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
ge-0/0/8
No MAC limit is set on any of the interfaces.
DHCP snooping is disabled on the VLAN employee-vlan.
All access interfaces are untrusted, which is the default setting.
1103
Configuration
To configure the MAC limiting port security feature to protect the switch against
DHCP starvation attacks:
To quickly configure MAC limiting, copy the following commands and paste them
Configure MAC limiting:

1.
Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
user@switch# set interface ge0/0/1 mac-limit 3 action drop
2.
Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
user@switch# set interface ge-0/0/2 mac-limit 3 action drop
Results

user@switch# show
}
}
Verification
Verifying That MAC Limiting Is Working Correctly on the Switch on page 1104

Purpose
Action
1104
Configuration
Verify that MAC limiting is working on the switch.

Display the MAC addresses learned when DHCP requests are sent from hosts on
ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3
with the action drop:
VLAN
MAC address
Type
default
default
default
default
default
default
default
Meaning
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Flood
Learn
Learn
Learn
Learn
Learn
Learn
The sample output shows that with a MAC limit of 3 for each interface, the DHCP
request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit.
Because only 3 MAC addresses can be learned on each of the two interfaces,
attempted DHCP starvation attacks will fail.
Related Topics
Spoofing Attacks
In an ARP spoofing attack, the attacker associates its own MAC address with the IP
address of a network device connected to the switch. Traffic intended for that IP
address is now sent to the attacker instead of being sent to the intended destination.
The attacker can send faked, or spoofed, ARP messages on the LAN.
This example describes how to configure DHCP snooping and dynamic ARP inspection
(DAI), two port security features, to protect the switch against ARP spoofing attacks:
Requirements
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
1105
Before you configure DHCP snooping and DAI, two port security features, to mitigate
ARP spoofing attacks, be sure you have:
Configured the VLAN employee-vlan on the switch.

This example describes how to protect the switch against one common type of attack,
an ARP spoofing attack.
In an ARP spoofing attack, the attacker sends faked ARP messages, thus creating
various types of mischief on the LANfor example, the attacker might launch a
man-in-the middle attack.
that is connected to a DHCP server. The setup for this example includes the VLAN
employee-vlan on the switch. The procedure for creating that VLAN is described in
the topic Example: Setting Up Bridging with Multiple VLANs for EX Series Switches
on page 490. That procedure is not repeated here. Figure 64 on page 1089 illustrates
the topology for this example.
1089.
1106

Properties
Settings
Switch hardware
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
ge-0/0/1,ge-0/0/2, ge-0/0/3, ge-0/0/8
ge-0/0/8
DHCP snooping is disabled on the VLAN employee-vlan.
All access ports are untrusted, which is the default setting.
Configuration
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch
against ARP attacks:
To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the
set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan examine-dhcp
set vlan employee-vlan arp-inspection
Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
1.
Set the ge-0/0/8 interface as trusted:

user@switch# set interface ge-0/0/8 dhcp-trusted
2.

user@switch# set vlan employee-vlan examine-dhcp
3.
Enable DAI on the VLAN:

Configuration
1107
Results

user@switch# show
dhcp-trusted;
}
arp-inspection
examine-dhcp;
}
Verification
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 1108
Verifying That DAI Is Working Correctly on the Switch on page 1108
Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose
Action
Verify that DHCP snooping is working on the switch.

Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is trusted. The following output results when requests are sent
from the MAC addresses and the server has provided the IP addresses and leases:
MAC Address
IP Address
Lease
-----------------------------00:05:85:3A:82:77
192.0.2.17
600
00:05:85:3A:82:79
192.0.2.18
653
00:05:85:3A:82:80
192.0.2.19
720
00:05:85:3A:82:81
192.0.2.20
932
00:05:85:3A:82:83
192.0.2.21
1230
00:05:85:27:32:88
192.0.2.22
3200
Meaning
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
the lease expires.

Purpose
Action
1108
Verification
Verify that DAI is working on the switch.


user@switch> show arp inspection statistics
Interface
Packets received ARP inspection pass
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2
ge-0/0/2.0
10
10
0
ge-0/0/3.0
12
12
0
Meaning
Related Topics
Enabling DHCP Snooping (CLI Procedure) on page 1154
Enabling DHCP Snooping (J-Web Procedure) on page 1155
Snooping Database Alteration Attacks
In one type of attack on the DHCP snooping database, an intruder introduces a DHCP
client on an untrusted access interface with a MAC address identical to that of a client
on another untrusted interface. The intruder then acquires the DHCP lease of that
other client, thus changing the entries in the DHCP snooping table. Subsequently,
what would have been valid ARP requests from the legitimate client are blocked.
This example describes how to configure allowed MAC addresses, a port security
feature, to protect the switch from DHCP snooping database alteration attacks:
Requirements
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks
1109
Before you configure specific port security features to mitigate common

access-inteface attacks, be sure you have:


This example describes how to protect the switch from an attack on the DHCP
snooping database that alters the MAC addresses assigned to some clients.
that is connected to a DHCP server.
1089.
Properties
1110
Settings
Table 148: Components of the Port Security Topology (continued)

Switch hardware
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
ge-0/0/8
DHCP snooping is enabled on the VLAN employee-vlan.
All access ports are untrusted, which is the default setting.
Configuration
To configure allowed MAC addresses to protect the switch against DHCP snooping
database alteration attacks:
To quickly configure some allowed MAC addresses on an interface, copy the following
Results
To configure some allowed MAC addresses on an interface:Configure the five allowed

MAC addresses on an interface:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:80user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:88

user@switch# show
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 00:05:85:3a:82:88 ];
Configuration
1111
Verification
Verifying That Allowed MAC Addresses Are Working Correctly on the

Switch on page 1112
Purpose
Action

Display the MAC cache information:
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
Related Topics
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
00:05:85:3A:82:88
*
Learn
Learn
Learn
Learn
Learn
Flood
Age
Interfaces
0
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The output shows that the five MAC addresses configured as allowed MAC addresses
have been learned and are displayed in the MAC cache. The last MAC address in the
list, one that had not been configured as allowed, has not been added to the list of
learned addresses.

Switch with Access to a DHCP Server Through a Second Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting
on the access interfaces of EX Series switches to protect the switch and the Ethernet
LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. To obtain
those basic settings, you can use the switch's default configuration for port security,
configure the MAC limit, and enable DHCP snooping and DAI on a VLAN. You can
configure those features when the DHCP server is connected to a different switch
from the one to which the DHCP clients (network devices) are connected.
1112
Verification
This example describes how to configure port security features on an EX Series switch
whose hosts obtain IP addresses and lease times from a DHCP server connected to
a second switch:
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 1115
Configuring a VLAN and Interfaces on Switch 2 on page 1117
Requirements
One EX3200-24P switchSwitch 1 in this example.
An additional EX Series switchSwitch 2 in this example. You will not configure

port security on this switch.
A DHCP server connected to Switch 2. You will use the server to provide IP
addresses to network devices connected to Switch 1.
At least two network devices (hosts) that you will connect to access interfaces
on Switch 1. These devices will be DHCP clients.
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
Connected the DHCP server to Switch 2.


To protect the devices from such attacks, you can configure:
DHCP snooping to validate DHCP server messages
DAI to protect against ARP spoofing
MAC limiting to constrain the number of MAC addresses the switch adds to its
MAC address cache
This example shows how to configure these port security features on an EX3200
switch, which is Switch 1 in this example. (You could also use an EX4200 switch for
this example.) Switch 1 is connected to a switch that is not configured with port
security features. That second switch (Switch 2) is connected to a DHCP server. (See
Figure 70 on page 1114. ) Network devices (hosts) that are connected to Switch 1 will
send requests for IP addresses (that is, the devices will be DHCP clients). Those
requests will be transmitted from Switch 1 to Switch 2 and then to the DHCP server
Requirements
1113
connected to Switch 2. Responses to the requests will be transmitted along the reverse
path of the one followed by the requests.
The setup for this example includes the VLAN employee-vlan on both switches.
Figure 70 on page 1114 shows the network topology for the example.
Figure 70: Network Topology for Port Security Setup with Two Switches on the Same
VLAN
1114.
Table 149: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2
Properties
Settings
Switch hardware
One EX3200-24P (Switch 1), and an additional EX Series switch

(Switch 2)
VLAN name and ID
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
Trunk interface on both switches
ge-0/0/11
Access interfaces on Switch 1
ge-0/0/1, ge-0/0/2, and ge-0/0/3
Access interface on Switch 2
ge-0/0/1
1114
Table 149: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 (continued)
ge-0/0/1 on Switch 2
Switch 1 is initially configured with the default port security setup. In the default
configuration on the switch:
The switch does not drop any packets, which is the default setting.
DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs.
All access interfaces are untrusted and trunk interfaces are trusted; these are the
default settings.
In the configuration tasks for this example, you configure a VLAN on both switches.
In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this
example, you will also enable DAI and a MAC limit of 5 on Switch 1.
Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do
not have to configure this interface to be trusted. As noted above, trunk interfaces
are automatically trusted, so DHCP messages coming from the DHCP server to Switch
2 and then on to Switch 1 are trusted.
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

To configure a VLAN, interfaces, and port security features on Switch 1:
To quickly configure a VLAN, interfaces, and port security features, copy the following
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/1 maclimit 5
set ethernet-switching-options secure-access-port vlan employee-vlan arpinspection
set ethernet-switching-options secure-access-port vlan employee-vlan examinedhcp
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20
set vlans employeevlan vlan-id 20
To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and
DHCP on the VLAN:
1.
Configure the VLAN employee-vlan with VLAN ID 20:

[edit vlans]
user@switch1# set employee-vlan vlan-id 20
2.
Configure an interface on Switch 1 as a trunk interface:
1115
[edit interfaces]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
3.
Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:
[edit interfaces]
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20
4.
ge-0/0/1 unit 0 family ethernet-switching vlan members


user@switch1# set vlan employee-vlan examine-dhcp
5.
Enable DAI on the VLAN:

user@switch1# set vlan employee-vlan arp-inspection
6.
Configure a MAC limit of 5 on ge-0/0/1 and use the default action, drop (packets
with new addresses are dropped if the limit has been exceeded):
user@switch1# set interface ge-0/0/1 mac-limit 5
Results

[edit]
user@switch1# show
interface ge-0/0/1.0{
}
arp-inspection;
examine-dhcp;
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
vlan {
members 20;
1116
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}
Configuring a VLAN and Interfaces on Switch 2

To configure the VLAN and interfaces on Switch 2:
To quickly configure the VLAN and interfaces on Switch 2, copy the following
[edit]
To configure the VLAN and interfaces on Switch 2:

1.
Configure an interface on Switch 2 as a trunk interface:
Configuring a VLAN and Interfaces on Switch 2
1117
[edit interfaces]
user@switch2# set ge-0/0/11 unit 0 ethernet-switching port-mode trunk
2.
Associate the VLAN with interfaces ge-0/0/1 and ge-0/0/11:

[edit interfaces]
20
20
Results

[edit]
user@switch2# show
interfaces {
ge-0/0/1 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}
Verification
1118
Verification
Verifying That DHCP Snooping Is Working Correctly on Switch 1 on page 1119
Verifying That DAI Is Working Correctly on Switch 1 on page 1119
Verifying That MAC Limiting Is Working Correctly on Switch 1 on page 1119
Verifying That DHCP Snooping Is Working Correctly on Switch 1

Purpose
Action
Verify that DHCP snooping is working on Switch 1.

Display the DHCP snooping information when the interface through which Switch 2
sends the DHCP server replies to clients connected to Switch 1 is trusted. The server
has provided the IP addresses and leases:
user@switch1> show dhcp snooping binding
MAC Address
IP Address
Lease
-----------------------------00:05:85:3A:82:77
192.0.2.17
600
00:05:85:3A:82:79
192.0.2.18
653
00:05:85:3A:82:80
192.0.2.19
720
00:05:85:3A:82:81
192.0.2.20
932
00:05:85:3A:82:83
192.0.2.21
1230
00:05:85:3A:82:90
192.0.2.20
932
00:05:85:3A:82:91
192.0.2.21
1230
Meaning
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
The output shows, for each MAC address, the assigned IP address and lease timethat
is, the time, in seconds, remaining before the lease expires.
Verifying That DAI Is Working Correctly on Switch 1

Purpose
Action
Verify that DAI is working on Switch 1.

user@switch1> show arp inspection statistics
Interface
----------------------- ------------------ge-0/0/1.0
7
5
ge-0/0/2.0
10
10
ge-0/0/3.0
18
15
Meaning

--------------------2
0
3
Verifying That MAC Limiting Is Working Correctly on Switch 1

Purpose
Verify that MAC limiting is working on Switch 1.
Verifying That DHCP Snooping Is Working Correctly on Switch 1
1119
Action
Display the MAC addresses that are learned when DHCP requests are sent from hosts
on ge-0/0/1:
user@switch1>

VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
Related Topics
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
*
Age
Interfaces
0
0
0
0
0
-
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
Learn
Learn
Learn
Learn
Learn
Flood
The sample output shows that five MAC addresses have been learned for interface
ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last
line of the output shows that a sixth MAC address request was dropped, as indicated
by the asterisk (*) in the MAC address column.

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
source IP addresses or source MAC addresses. These spoofed packets are sent from
hosts connected to untrusted access interfaces on the switch. You can enable the IP
source guard port security feature on EX Series switches to mitigate the effects of
such attacks. If IP source guard determines that a source IP address and a source
MAC address in a binding in an incoming packet are not valid, the switch does not
forward the packet.
You can use IP source guard in combination with other EX Series switch features to
mitigate address-spoofing attacks on untrusted access interfaces. This example shows
two configuration scenarios:
1120
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and

Dynamic ARP Inspection on page 1122
Configuring IP Source Guard on a Guest VLAN on page 1124
Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on
Untrusted Access Interfaces
Requirements
An EX4200-24P switch
A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for these scenarios, be sure you have:
Connected the RADIUS server and configured user authentication on the RADIUS
server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series
Switch on page 883.
Configured the VLANs on the switch. See Example: Setting Up Bridging with
Multiple VLANs for EX Series Switches on page 490 for detailed information
about configuring VLANs.

sent from a host attached to an untrusted access interface on the switch. If IP source
guard determines that the packet header contains an invalid source IP address or
source MAC address, it ensures that the switch does not forward the packetthat
is, the packet is discarded.
source guard applies its checking rules to untrusted access interfaces on those VLANs.
By default, on EX Series switches, access interfaces are untrusted and trunk interfaces
are trusted. IP source guard does not check packets that have been sent to the switch
by devices connected to either trunk interfaces or trusted access interfacesthat is,
interfaces configured with dhcp-trusted so that a DHCP server can be connected to
that interface to provide dynamic IP addresses.
The topology for this example includes an EX-4200-24P switch, a connection to a
DHCP server, and a connection to a RADIUS server for user authentication.
NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX Series Switches on page 867.
Requirements
1121
In the first example configuration, two clients (network devices) are connected to
an access switch. You configure IP source guard and 802.1X user authentication, in
combination with two access port security features: DHCP snooping and dynamic
ARP inspection (DAI). This setup is designed to protect the switch from IP attacks
such as ping of death attacks, DHCP starvation, and ARP spoofing.
In the second example configuration, the switch is configured for 802.1X user
authentication. If the client fails authentication, the switch redirects the client to a
guest VLAN that allows this client to access a set of restricted network features. You
configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.
NOTE: Control-plane rate limiting is achieved by restricting CPU control-plane

protection. It can be used in conjunction with storm control (see Understanding
Storm Control on EX Series Switches on page 475) to limit data-plane activity.
TIP: You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic
ARP Inspection
To quickly configure IP source guard with 802.1X authentication and with other
access port security features, copy the following commands and paste them into the
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted
set ethernet-switching-options secure-access-port vlan data examine-dhcp
set ethernet-switching-options secure-access-port vlan data arp-inspection
set ethernet-switching-options secure-access-port vlan data ip-source-guard
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members data
set protocols dot1x authenticator authentication-profile-name profile52
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single
To configure IP source guard with 802.1X authentication and various port security
features:
1.
Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the data VLAN:
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan
members data
1122
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
2.
Associate two interfaces with the data VLAN:

[edit interfaces]
data
data
3.
Configure 802.1X user authentication and LLDP-MED on the two interfaces that
you associated with the data VLAN:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single
4.
Configure three access port security featuresDHCP snooping, dynamic ARP

inspection (DAI), and IP source guardon the data VLAN:
user@switch# set secure-access-port vlan data examine-dhcp
user@switch# set secure-access-port vlan data arp-inspection
user@switch# set secure-access-port vlan data ip-source-guard
Results

dhcp-trusted;
}
vlan data {
arp-inspection;
examine-dhcp;
ip-source-guard;
}
}
[edit interfaces]
ge-0/0/0 {
unit 0 {
vlan {
members data;
}
}
}
}
ge-0/0/1 {
unit 0 {
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
1123
vlan {
members data;
}
}
}
}
ge-0/0/24 {
unit 0 {
vlan {
members data;
}
}
}
}
[edit protocols]
lldp-med {
}
dot1x {
authenticator {
}
interface {
ge-0/0/0.0 {
supplicant single;
}
ge-0/0/1.0 {
supplicant single;
}
ge-0/0/14.0 {
supplicant single;
}
}
}
Configuring IP Source Guard on a Guest VLAN

To quickly configure IP source guard on a guest VLAN, copy the following commands
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members employee
set ethernet-switching-options secure-access-port vlan employee examine-dhcp
set ethernet-switching-options secure-access-port vlan employee ip-source-guard
set ethernet-switching-options secure-access-port interface ge-0/0/0 static-ip
11.1.1.1 mac 00:11:11:11:11:11 vlan employee
11.1.1.2 mac 00:22:22:22:22:22 vlan employee
1124
set
set
set
set
set
set
set
set
set
interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access

protocols dot1x authenticator authentication-profile-name profile52
protocols dot1x authenticator interface ge-0/0/0 supplicant single
protocols dot1x authenticator interface ge-0/0/0 guest-vlan employee
protocols dot1x authenticator interface ge-0/0/0 supplicant-timeout 2
protocols dot1x authenticator interface ge-0/0/1 supplicant single
protocols dot1x authenticator interface ge-0/0/1 guest-vlan employee
protocols dot1x authenticator interface ge-0/0/1 supplicant-timeout 2
vlans employee vlan-id 300
To configure IP source guard on a guest VLAN:

1.
as a trusted interface and add that interface to the employee VLAN:
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
employee
2.
Configure two interfaces for the access port mode:

[edit interfaces]
3.
Configure DHCP snooping and IP source guard on the employee VLAN:

user@switch# set secure-access-port vlan employee examine-dhcp
user@switch# set secure-access-port vlan employee ip-source-guard
4.
Configure a static IP address on each of two interfaces on the employee VLAN

(optional):
user@switch# set secure-access-port interface ge-0/0/0 static-ip 11.1.1.1
mac 00:11:11:11:11:11 vlan employee
mac 00:22:22:22:22:22 vlan employee
5.
Configure 802.1X user authentication:

[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
user@switch# set
2
6.
dot1x authenticator authentication-profile-name profile52

dot1x authenticator interface ge-0/0/0 supplicant single
dot1x authenticator interface ge-0/0/1 supplicant single
dot1x authenticator interface ge-0/0/0 supplicant-timeout 2
dot1x authenticator interface ge-0/0/1 supplicant-timeout
Set the VLAN ID for the employee VLAN:
1125
[edit vlans]
user@switch# set employee vlan-id 100
Results

[edit protocols]
dot1x {
authenticator {
}
interface {
ge-0/0/0.0 {
guest-vlan employee;
supplicant single;
supplicant-timeout 2;
}
ge-0/0/1.0 {
guest-vlan employee;
supplicant single;
supplicant-timeout 2;
}
}
}
}
[edit vlans]
employee {
vlan-id 100;
}
[edit interfaces]
ge-0/0/0 {
unit 0 {
port-mode access;
}
}
}
ge-0/0/1 {
unit 0 {
port-mode access;
}
}
}
ge-0/0/24 {
unit 0 {
vlan {
members employee;
}
}
1126
}
}
static-ip 11.1.1.1 vlan employee mac 00:11:11:11:11:11;
}
static-ip 11.1.1.2 vlan employee mac 00:22:22:22:22:22;
}
dhcp-trusted;
}
vlan employee {
examine-dhcp;
ip-source-guard;
}
}
Verification
Verifying That 802.1X User Authentication Is Working on the Interface on page 1127
Verifying That DHCP Snooping and IP Source Guard Are Working on the
VLAN on page 1128
Verifying That 802.1X User Authentication Is Working on the Interface

Purpose
Action
Meaning
Verify that the 802.1X configuration is working on the interface.

Use the show dot1x interface command to view the 802.1X details.
each interface.

Purpose
Verity interface states and VLAN memberships.
Action
Use the show ethernet-switching interfaces command to view the Ethernet switching
table entries.
Meaning
The field VLAN members shows the associations between VLANs and interfaces. The
State field shows whether the interfaces are up or down.
For the guest VLAN configuration, the interface is associated with the guest VLAN if
and when the supplicant fails 802.1X user authentication.
Verification
1127
VLAN
Purpose
Action
Verify that DHCP snooping and IP source guard are enabled and working on the
VLAN.
Use the show dhcp snooping binding command to display the DHCP snooping
information when the interface on which the DHCP server connects to the switch is
trusted. View the MAC addresses from which requests were sent and the IP addresses
and leases provided by the server.
Use the show ip-source-guard command to view IP source guard information for the
VLAN.
Meaning
to trusted, the output shows, for each MAC address, the assigned IP address and
lease timethat is, the time, in seconds, remaining before the lease expires. Static
IP addresses have no assigned lease time. Statically configured entries never expire.
IP source guard have a star (*) in the IP Address and MAC Address fields.
Related Topics

on page 919

Configuring IP Source Guard (CLI Procedure) on page 1173

with a Voice VLAN
source IP addresses or source MAC addresses. These spoofed packets are sent from
hosts connected to untrusted access interfaces on the switch. You can enable the IP
source guard port security feature on EX Series switches to mitigate the effects of
such attacks. If IP source guard determines that a source IP address and a source
MAC address in a binding in an incoming packet are not valid, the switch does not
forward the packet.
1128
Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN
If two VLANs share an interface, you can configure IP source guard on just one of
the VLANs; in this example, you configure IP source guard on an untagged data VLAN
but not on the tagged voice VLAN. You can use 802.1X user authentication to validate
the device connections on the data VLAN.
This example describes how to configure IP source guard with 802.1X user
authentication on a data VLAN, with a voice VLAN on the same interface:
Requirements
A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for the data VLANs, be sure you have:
Connected the RADIUS server to the switch and configured user authentication
on the server. See Example: Connecting a RADIUS Server for 802.1X to an EX
Series Switch on page 883.
Configured the VLANs. See Example: Setting Up Bridging with Multiple VLANs
for EX Series Switches on page 490 for detailed information about configuring
VLANs.

sent from a host attached to an untrusted access interface on the switch. If IP source
guard determines that the packet header contains an invalid source IP address or
source MAC address, it ensures that the switch does not forward the packetthat
is, the packet is discarded.
source guard applies its checking rules to untrusted access interfaces on those VLANs.
By default, on EX Series switches, access interfaces are untrusted and trunk interfaces
are trusted. IP source guard does not check packets that have been sent to the switch
by devices connected to either trunk interfaces or trusted access interfacesthat is,
interfaces configured with dhcp-trusted so that a DHCP server can be connected to
that interface to provide dynamic IP addresses.
Requirements
1129

The topology for this example includes one EX-3200-24P switch, a PC and an IP
phone connected on the same interface, a connection to a DHCP server, and a
connection to a RADIUS server for user authentication.
NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX Series Switches on page 867.
TIP: You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.
This example shows how to configure a static IP address to be added to the DHCP
snooping database.
Configuration
To quickly configure IP source guard on a data VLAN, copy the following commands
set ethernet-switching-options voip interface ge-0/0/14.0 vlan voice
set ethernet-switching-options secure-access-port interface ge-0/0/24.0
dhcp-trusted
11.1.1.1 mac 00:11:11:11:11:11 vlan data
set ethernet-switching-options secure-access-port vlan data examine-dhcp
set ethernet-switching-options secure-access-port vlan data ip-source-guard
set vlans voice vlan-id 100
set protocols dot1x authenticator authentication-profile-name profile52
To configure IP source guard on the data VLAN:

1.
Configure the VoIP interface:

user@switch# set voip interface ge-0/0/14.0 vlan voice
2.
as a trusted interface and add that interface to the data VLAN:
user@switch# set secure-access-port interface ge-0/0/24.0 dhcp-trusted
[edit interfaces]
1130
Configuration

data
3.
Configure a static IP address on an interface on the data VLAN (optional)

mac 00:11:11:11:11:11 vlan data
4.
Configure DHCP snooping and IP source guard on the data VLAN:

user@switch# set secure-access-port vlan data examine-dhcp
user@switch# set secure-access-port vlan data ip-source-guard
5.
Configure 802.1X user authentication and LLDP-MED on the interface that is

shared by the data VLAN and the voice VLAN:
[edit protocols]
6.
Set the VLAN ID for the voice VLAN:

[edit vlans]
user@switch# set voice vlan-id 100
Results

user@switch# show
voip {
vlan voice;
}
}
static-ip 11.1.1.1 vlan data mac 00:11:11:11:11:11;
}
dhcp-trusted;
}
vlan data {
examine-dhcp;
ip-source-guard;
}
}
[edit interfaces]
Configuration
1131
ge-0/0/24 {
unit 0 {
vlan {
members data;
}
}
}
}
[edit vlans]
voice {
vlan-id 100;
}
[edit protocols]
lldp-med {
}
dot1x {
authenticator {
interface {
ge-0/0/14.0 {
supplicant single;
}
}
}
}
TIP: If you wanted to configure IP source guard on the voice VLAN as well as on the
data VLAN, you would configure DHCP snooping and IP source guard exactly as you
did for the data VLAN. The configuration result for the voice VLAN under
secure-access-port would look like this:
vlan voice {
examine-dhcp;
ip-source-guard;
}
}
Verification
1132
Verification
Verifying That 802.1X User Authentication Is Working on the Interface on page 1133
Verifying That DHCP Snooping and IP Source Guard Are Working on the Data
VLAN on page 1134

Purpose
Action
Verify the 802.1X configuration on interface ge-0/0/14.

Verify the 802.1X configuration with the operational mode command show dot1x
interface:
user@switch> show dot1x interface e-0/0/14.0 detail
ge-0/0/14.0
Role: Authenticator
Supplicant: user100, 00:00:00:00:22:22
Meaning
each interface. Interface ge-0/0/14.0 displays Single supplicant mode.

Purpose
Action

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee
unblocked
ge-0/0/2.0 down
employee
unblocked
ge-0/0/12.0 down
default
unblocked
ge-0/0/13.0 down
default
unblocked
ge-0/0/13.0 down
vlan100
unblocked
ge-0/0/14.0 up
voice
unblocked
data
unblocked
ge-0/0/17.0 down
employee
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/24.0 down
data
unblocked
employee
unblocked
vlan100
unblocked
voice
unblocked
Meaning
The field VLAN members shows that the ge-0/0/14.0 interface supports both the data
VLAN and the voice VLAN. The State field shows that the interface is up.
1133
Data VLAN
Purpose
Action
Verify that DHCP snooping and IP source guard are enabled and working on the data
VLAN.
leases:
user@switch>
show dhcp snooping binding
MAC address
IP address Lease (seconds) Type
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
employee
employee
employee
employee
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
600
653
720
932
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
00:30:48:8D:01:3D 10.10.10.9 720
00:30:48:8D:01:5D 10.10.10.8 1230
00:11:11:11:11:11 11.1.1.1
00:05:85:27:32:88 192.0.2.22
00:05:85:27:32:89 192.0.2.23
00:05:85:27:32:90 192.0.2.27
dynamic
dynamic
dynamic
dynamic
10.10.10.7
720
dynamic
dynamic
static
static
static
static
data
voice
data
employee
employee
employee
dynamic
ge-0/0/14.0
ge-0/0/14.0
ge-0/0/14.0
ge-0/0/17.0
ge-0/0/17.0
ge-0/0/17.0
View the IP source guard information for the data VLAN.
Meaning

Interface
Tag IP Address
MAC Address
VLAN
ge-0/0/13.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/14.0
ge-0/0/14.0
0
0
10.10.10.9
11.1.1.1
00:30:48:8D:01:3D
00:11:11:11:11:11
data
data
ge0/0/13.0
100
voice
to trusted, the output (see the preceding sample output for show dhcp snooping binding)
shows, for each MAC address, the assigned IP address and lease timethat is, the
time, in seconds, remaining before the lease expires. Static IP addresses have no
assigned lease time. Statically configured entries never expire.
1134
Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN
Related Topics


on page 919

Between Clients and a DHCP Server
option, to help protect the EX Series switch against attacks such as spoofing (forging)
of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82
server uses this information to implement IP addresses or other parameters for the
client.
This example describes how to configure DHCP option 82 on a switch that is on the
same VLAN with the DHCP clients but on a different VLAN from the DHCP server;
the switch acts as a relay agent:
Requirements
Example: Setting Up DHCP Option 82 with an EX Series Switch as Relay Agent Between Clients and a DHCP Server
1135
Before you configure DHCP option 82 on the switch, be sure you have:
Connected and configured the DHCP server.
NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not
configured for DHCP option 82, it does not use the DHCP option 82 information in
the requests sent to it when it formulates its reply messages.
Configured the employee VLAN on the switch and associated the interfaces on
which the clients connect to the switch with that VLAN. See Configuring VLANs
for EX Series Switches (CLI Procedure) on page 546.
Configured the corporate VLAN for the DHCP server.
Configured the switch as a BOOTP relay agent. See DHCP/BOOTP Relay for EX
Series Switches Overview on page 764.
Configured the routed VLAN interface (RVI) to allow the switch to relay packets
to the server and receive packets from the server. See Configuring Routed VLAN
Interfaces (CLI Procedure) on page 547.

packet header of that request. The switch then sends the request (in this setting, it
relays the request) to the DHCP server. The DHCP server reads the option 82
information in the packet header and uses it to implement the IP address or other
parameter for the client.
1.
packet header.
2.
The switch relays the request to the DHCP server.
3.
4.
5.
In this example, you configure option 82 on the EX Series switch. The switch is
configured as a BOOTP relay agent. The switch connects to the DHCP server through
the routed VLAN interface (RVI) that you configured. The switch and clients are
members of the employee VLAN. The DHCP server is a member of the corporate
VLAN.
1136
Configuration
To configure DHCP option 82:
To quickly configure DHCP option 82, copy the following commands and paste them
set forwarding-options
employee-switch1
helpers
helpers
helpers
helpers
helpers
helpers
bootp
bootp
bootp
bootp
bootp
bootp
dhcp-option82
dhcp-option82
dhcp-option82
dhcp-option82
dhcp-option82
dhcp-option82
circuit-id prefix hostname

circuit-id use-vlan-id
remote-id
remote-id prefix mac
remote-id use-string
helpers bootp dhcp-option82 vendor-id

1.
Specify DHCP option 82 for the employee VLAN:

[edit forwarding-options helpers bootp]
user@switch# set dhcp-option82
2.
Configure a prefix for the circuit ID suboption (the prefix is always the hostname
of the switch):
user@switch# set dhcp-option82 circuit-id prefix hostname
3.
Specify that the circuit ID suboption value contains the VLAN ID rather than the
VLAN name (the default):
user@switch# set dhcp-option82 circuit-id use-vlan-id
4.
Specify that the remote ID suboption be included in the DHCP option 82

information:
user@switch# set dhcp-option82 remote-id
5.
Configure a prefix for the remote ID suboption (here, the prefix is the MAC
address of the switch):
user@switch# set dhcp-option82 remote-id prefix mac
6.
Specify that the remote ID suboption value contains a character string (here,
the string is employee-switch1):
user@switch# set dhcp-option82 remote-id use-string employee-switch1
Configuration
1137
7.
Configure a vendor ID suboption value, and use the default value. To use the
default value, do not type a character string after the vendor-id option keyword:
user@switch# set dhcp-option82 vendor-id
Results

user@switch# show
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
prefix mac;
use-string employee-switch1;
}
vendor-id;
}
Related Topics

RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
Example: Setting Up DHCP Option 82 on an EX Series Switch with No Relay Agent

Between Clients and DHCP Server
client.
This example describes how to configure DHCP option 82 on a switch with DHCP
clients, DHCP server, and switch all on the same VLAN:
1138
Example: Setting Up DHCP Option 82 on an EX Series Switch with No Relay Agent Between Clients and DHCP Server
Requirements
Before you configure DHCP option 82 on the switch, be sure you have:
Connected and configured the DHCP server.
NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not
configured for DHCP option 82, it does not use the DHCP option 82 information in
the requests sent to it when it formulates its reply messages.
Configured the employee VLAN on the switch and associated the interfaces on
which the clients and the server connect to the switch with that VLAN. See
Configuring VLANs for EX Series Switches (CLI Procedure) on page 546.

packet header of that request. The switch then sends the request to the DHCP server.
The DHCP server reads the option 82 information in the packet header and uses it
to implement the IP address or other parameter for the client.
DHCP option 82 is enabled on an individual VLAN or on all VLANs on the switch.
1.
packet header.
2.
The switch forwards the request to the DHCP server.
3.
4.
5.
Figure 71 on page 1140 illustrates the topology for this example.
Requirements
1139
Figure 71: Network Topology for Configuring DHCP Option 82 on a Switch That Is on
the Same VLAN as the DHCP Clients and the DHCP Server
In this example, you configure DHCP option 82 on the EX Series switch. The switch
connects to the DHCP server on interface ge-0/0/8. The DHCP clients connect to the
switch on interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3. The switch, server, and clients
are all members of the employee VLAN.
Configuration
To quickly configure DHCP option 82, copy the following commands and paste them
circuit-id prefix hostname
circuit-id use-vlan-id
remote-id
remote-id prefix mac
remote-id use-string employee-switch1
vendor-id
1140
Configuration
vlan employee dhcp-option82


1.
Specify DHCP option 82 for the employee VLAN:

user@switch# set vlan employee dhcp-option82
2.
Configure a prefix for the circuit ID suboption (the prefix is always the hostname
of the switch):
user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname
3.
Specify that the circuit ID suboption value contains the VLAN ID rather than the
VLAN name (the default):
user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id
4.
Specify that the remote ID suboption be included in the DHCP option 82

information:
user@switch# set vlan employee dhcp-option82 remote-id
5.
Configure a prefix for the remote ID suboption (here, the prefix is the MAC
user@switch# set vlan employee dhcp-option82 remote-id prefix mac
6.
Specify that the remote ID suboption value contains a character string (here,
the string is employee-switch1):
user@switch# set vlan employee dhcp-option82 remote-id use-string
employee-switch1
7.
Configure a vendor ID suboption value, and use the default value. To use the
default value, do not type a character string after the vendor-id option keyword:
user@switch# set vlan employee dhcp-option82 vendor-id
Results

user@switch# show
vlan employee {
dhcp-option82 {
Configuration
1141
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
prefix mac;
use-string employee-switch1;
}
vendor-id;
}
}
Related Topics

Example: Configuring Unrestricted Proxy ARP on an EX Series Switch

You can configure unrestricted proxy ARP on your switch to increase security by
forcing hosts to send and receive communications through the switch rather than
exchange communications directly.
This example shows how to configure unrestricted proxy ARP on an access switch:
Requirements
1142
Example: Configuring Unrestricted Proxy ARP on an EX Series Switch
Before you set up unrestricted proxy ARP, ensure that you have:
Configured the EX Series switch with two VLANs. See Example: Setting Up
NOTE: You do not need to configure multiple VLANs to use unrestricted proxy ARP.
You can choose to configure unrestricted proxy ARP when only a single VLAN (the
default configuration) is being used on the switch. This example, however, uses two
VLANs to emphasize the fact that unrestricted proxy ARP applies globally on the
switch. Even when two VLANs are configured, setting a single interface within one
VLAN to use unrestricted proxy ARP automatically applies that setting to all interfaces
within both VLANs on the switch.

When you enable proxy ARP on an EX Series switch, it operates in unrestricted mode.
This is the only mode available and this setting applies globally to all interfaces on
the switch. Therefore, when proxy ARP is enabled, even hosts within the same VLAN
must send and receive communications through the switch.
NOTE: If you enable proxy ARP for one of the interfaces on the switch, this setting
applies to all the interfaces on the switch.
The topology for this example consists of one EX Series switch, which has been
configured with two VLANs. One VLAN, called sales, is for the sales and marketing
group, and a second, called engineering, is for the engineering development team.
The VLANs belong to different subnets.
When a host wants to communicate with another host, it broadcasts an ARP request
for the MAC address of the destination host:
When proxy ARP is not enabled, a host that shares the same IP address replies
directly to the ARP request, providing its MAC address, and future transmissions
are sent directly to the destination host MAC address.
When unrestricted proxy ARP is enabled, the switch responds to all ARP requests,
providing the switchs MAC addresseven when the destination IP address is
the same as the source IP address. Thus, all communications must be sent through
the switch and then routed through the switch to the appropriate destination.
This example includes disabling interfaces from responding to gratuitous ARP

requests. If you do not disable gratuitous ARP requests, the switch responds to all
ARP messages including gratuitous ARP requests. When a switch receives a gratuitous
ARP request, it might interpret that as an indication of an IP conflict.
Table 150 on page 1144 shows the components of this topology.
1143
Table 150: Components of the Unrestricted Proxy ARP Switch

Property
Settings
Switch hardware
EX Series switch
sales, tag 100

engineering, tag 200
VLAN subnets

engineering: 192.0.2.128/25 (addresses 192.0.2.129 through
192.0.2.254)
Interfaces in VLAN sales
Interfaces in VLAN engineering
NOTE: By default, if you enable proxy ARP, it works in unrestricted mode and applies
globally to all the interfaces on the switch. You should disable gratuitous ARP requests
on all the interfaces. (Disabling gratuitous ARP is not a global setting.) To keep the
example simple, the configuration steps show how to disable gratuitous ARP requests
on only a few interfaces in each of the VLANs. Use the same configuration procedure
to configure more interfaces.
Configuration
Configure unrestricted proxy ARP:
To quickly configure unrestricted proxy ARP, copy the following commands and
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
ge-0/0/3 unit 0 proxy-arp

ge-0/0/3 no-gratuitous-arp-request
Configure one interface for proxy ARP:

1.
Configure one interface for proxy ARP:

[edit interfaces]
user@switch# set ge-0/0/3 unit 0 proxy-arp
2.
Disable gratuitous ARP on all the interfaces in the sales VLAN:

[edit interfaces]
user@switch# set ge-0/0/3 no-gratuitous-arp-request
1144
Configuration
3.
Disable gratuitous ARP on all the interfaces in the engineering VLAN:

[edit interfaces]
Results

interfaces {
ge-0/0/3 {
unit 0 {
description sales;
proxy-arp;
vlan {
members sales;
}
}
}
}
ge-0/0/4 {
unit 0 {
description sales;
vlan {
members sales;
}
}
}
}
ge-0/0/5 {
unit 0 {
description sales;
vlan {
members sales;
}
}
}
}
ge-0/0/25 {
unit 0 {
description engineering;
vlan {
Configuration
1145
members engineering;
}
}
}
}
ge-0/0/26 {
unit 0 {
vlan {
}
}
}
}
ge-0/0/27 {
unit 0 {
vlan {
}
}
}
}
Verification
Verify that the switch is sending proxy ARP messages:
Verifying That the Switch Is Sending Proxy ARP Messages: on page 1146
Verifying That the Switch Is Sending Proxy ARP Messages:

Purpose
Action
Verify that the switch is sending proxy ARP messages.

List the system statistics for ARP messages:
user@switch> show system statistics arp
arp:
198319 datagrams received
45 ARP requests received
12 ARP replys received
2 resolution requests received
2 unrestricted proxy requests
0 restricted proxy requests
0 received proxy requests
0 proxy requests not proxied
0 restricted-proxy requests not proxied
0 with bogus interface
0 with incorrect length
0 for non-IP protocol
0 with unsupported op code
1146
Verification
0 with bad protocol address length

0 with bad hardware address length
0 with multicast source address
0 with multicast target address
0 with my own hardware address
168705 for an address not on the interface
0 with a broadcast source address
0 with source address duplicate to mine
29555 which were not for me
0 packets discarded waiting for resolution
4 packets sent after waiting for resolution
27 ARP requests sent
47 ARP replys sent
0 requests for memory denied
0 requests dropped on entry
0 requests dropped during retry
0 requests dropped due to interface deletion
0 requests on unnumbered interfaces
0 new requests on unnumbered interfaces
0 replies for from unnumbered interfaces
0 requests on unnumbered interface with non-subnetted donor
0 replies from unnumbered interface with non-subnetted donor
Meaning
Related Topics
The statistics show that two unrestricted proxy requests were received and proxy
requests not proxied indicates that all the unproxied ARP requests received have been
proxied by the switch.
Configuring Unrestricted Proxy ARP (CLI Procedure) on page 1176
1147
1148
Chapter 57
Configuring MAC Move Limiting (CLI Procedure) on page 1169
Configuring MAC Move Limiting (J-Web Procedure) on page 1171
Setting the none Action on an Interface to Override a MAC Limit Applied to All


1149
Configuring Port Security (CLI Procedure)

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial
of service (DoS) on network devices. Port security features such as DHCP snooping,
DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as
trusted DHCP server, help protect the access ports on your EX Series switch against
the losses of information and productivity that can result from such attacks.
To configure port security features using the CLI:
1.
Enable DHCP snooping:
On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan default examine-dhcp
On all VLANs:
user@switch# set vlan all examine-dhcp
2.
Enable DAI:
On a single VLAN (here, the VLAN is employee-vlan):

user@switch# set vlan employeevlan arp-inspection
On all VLANs:
user@switch# set vlan all arp-inspection
3.
Limit the number of dynamic MAC addresses and specify the action to take if
the limit is exceededfor example, set a MAC limit of 5 with an action of drop:
On a single interface (here, the interface is ge-0/0/1):

user@switch# set interface ge0/0/1 mac-limit 5 action drop
On all interfaces:
user@switch# set interface all maclimit 5 action drop
4.
Specify allowed MAC addresses:
1150
Configuring Port Security (CLI Procedure)
Chapter 57: Configuring Port Security

user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:80
On all interfaces:
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
5.
Limit the number of times a MAC address can move from its original interface
in one secondfor example, set a MAC move limit of 5 with an action of drop
if the limit is exceeded:

user@switch# set vlan employeevlan mac-move-limit 5 action drop
On all VLANs:
set vlan all macmove-limit 5 action drop
6.
Configure a trusted DHCP server on an interface (here, the interface is ge-0/0/8):

user@switch# set interface ge0/0/8 dhcp-trusted
Related Topics


Monitoring Port Security on page 1179
Configuring Port Security (J-Web Procedure)

To configure port security on the EX Series switch using the J-Web interface:
1.
From the Configure menu, select Security > Port Security.
1151
The VLAN List table lists all the VLAN names, VLAN identifiers, port members,
and port security VLAN features.
The Interface List table lists all the ports and indicates whether security features
have been enabled on the ports.
2.
Click one:
EditClick this option to modify the security features for the selected port
or VLAN.
Enter information as specified in Table 151 on page 1152 to modify Port
Security settings on VLANs.
Enter information as specified in Table 152 on page 1153 to modify Port
Security settings on interfaces.
Activate/DeactivateClick this option to enable or disable security on the
switch.
Table 151: Port Security Settings on VLANs

Field
Function
Your Action
DHCP
Snooping
Allows the switch to monitor and control DHCP

messages received from untrusted devices
connected to the switch. Builds and maintains
a database of valid IP addresses/MAC address
bindings. (By default, access ports are untrusted
and trunk ports are trusted.)
Select to enable DHCP snooping on a specified VLAN or

all VLANs.
ARP Inspection
Uses information in the DHCP snooping

database to validate ARP packets on the LAN
and protect against ARP cache poisoning.
Select to enable ARP inspection on a specified VLAN or

all VLANs. (Configure any port on which you do not want
ARP inspection to occur as a trusted DHCP server port.)
MAC
Movement
Specifies the number of times per second that

a MAC address can move to a new interface.
Enter a number. The default is unlimited.
MAC
Movement
Action
Specifies the action to be taken if the MAC move

limit is exceeded.
Select one:
1152
LogGenerate a system log entry, an SNMP trap, or

an alarm.
DropDrop the packets and generate a system log

entry, an SNMP trap, or an alarm. (Default)
ShutdownShut down the VLAN and generate an

alarm. You can mitigate the effect of this option by
configuring autorecovery from the disabled state and
specifying a disable timeout value. See Configuring
Autorecovery From the Disabled State on Secure or
Storm Control Interfaces (CLI Procedure) on page
558.
None No action to be taken.
Table 152: Port Security on Interfaces

Field
Function
Your Action
Trust DHCP
Specifies trusting DHCP packets on the

selected interface. By default, trunk ports are
dhcp-trusted.
Select to enable DHCP trust.
MAC Limit
Specifies the number of MAC addresses that

can be learned on a single Layer 2 access port.
This option is not valid for trunk ports.
Enter a number.
MAC Limit
Action
Specifies the action to be taken if the MAC

limit is exceeded. This option is not valid for
trunk ports.
Select one:
Allowed MAC
List
Specifies the MAC addresses that are allowed

for the interface.
Related Topics
LogGenerate a system log entry, an SNMP trap, or

an alarm.
DropDrop the packets and generate a system log

entry, an SNMP trap, or an alarm. (Default)
ShutdownShut down the interface and generate an

alarm. You can mitigate the effect of this option by
configuring autorecovery from the disabled state and
specifying a disable timeout value. SeeConfiguring
Autorecovery From the Disabled State on Secure or
Storm Control Interfaces (CLI Procedure) on page 558.
To add a MAC address:
1.
Click Add.
2.
Enter the MAC address.
3.
Click OK.
1153
Enabling DHCP Snooping (CLI Procedure)

DHCP snooping allows the switch to monitor and control DHCP messages received
from untrusted devices connected to the EX Series switch. It builds and maintains a
database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping
database.
To enable DHCP snooping on a VLAN or all VLANs by using the CLI:
On a specific VLAN (here, the VLAN is default):

user@switch# set vlan default examine-dhcp
On all VLANs:
user@switch# set vlan all examine-dhcp
Related Topics
1154

Verifying That DHCP Snooping Is Working Correctly on page 1180

1067
Enabling DHCP Snooping (CLI Procedure)
Enabling DHCP Snooping (J-Web Procedure)

DHCP snooping allows the EX Series switch to monitor and control DHCP messages
received from untrusted devices connected to the switch. It builds and maintains a
database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping
database.
To enable DHCP snooping on one or more VLANs by using the J-Web interface:
1.
Select Configure>Security>Port Security.
2.
Select one or more VLANs from the VLAN list.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4.
Select the Enable DHCP Snooping on VLAN check box and then click OK.
5.
Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics


1067
Enabling DHCP Snooping (J-Web Procedure)
1155
Enabling a Trusted DHCP Server (CLI Procedure)

You can configure any interface on the EX Series switch that connects to a DHCP
server as a trusted interface (port). Configuring a DHCP server on a trusted interface
protects against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To configure a trusted interface for a DHCP server by using the CLI (here, the interface
is ge-0/0/8):
user@switch# set interface ge0/0/8 dhcp-trusted
Related Topics

Verifying That a Trusted DHCP Server Is Working Correctly on page 1181

on page 1078
Enabling a Trusted DHCP Server (J-Web Procedure)

You can configure any interface on the EX Series switch that connects to a DHCP
server as a trusted interface (port). Configuring a DHCP server on a trusted interface
protects against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To enable a trusted DHCP server on one or more interfaces by using the J-Web
interface:
1156
1.
2.
Select one or more interfaces from the Port list.
3.
4.
Select the Trust DHCP check box and then click OK.
5.
Enabling a Trusted DHCP Server (CLI Procedure)
Related Topics


on page 1078
and DHCP Server (CLI Procedure)
client.
You can configure the DHCP option 82 feature in two topologies:
The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch
forwards the clients' requests to the server and forwards the server's replies to
the clients. This topic describes this configuration.
The switch functions as a relay agent when the DHCP clients or the DHCP server
is connected to the switch through a Layer 3 interface. On the switch, these
interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays
the clients' requests to the server and then forwards the server's replies to the
clients. This configuration is described in Setting Up DHCP Option 82 with the
Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on
page 1160.
Before you configure DHCP option 82 on the switch, perform these tasks:
Connect and configure the DHCP server.
NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server
is not configured for DHCP option 82, the server does not use the DHCP option 82
information in the requests sent to it when it formulates its reply messages.
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
1157
Configure a VLAN on the switch and associate the interfaces on which the clients
and the server connect to the switch with that VLAN.
NOTE: Replace values displayed in italics with values for your configuration.
1.
Specify DHCP option 82 for all VLANs associated with the switch or for a specified
VLAN. (You can also configure the feature for a VLAN range.)
On a specific VLAN:
user@switch# set vlan employee dhcp-option82
On all VLANs:
user@switch# set vlan all dhcp-option82
The remaining steps are optional.

2.
To configure a prefix for the circuit ID suboption (the prefix is always the
hostname of the switch):
user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname
3.
To specify that the circuit ID suboption value contains the interface description
rather than the interface name (the default):
user@switch# set vlan employee dhcp-option82 circuit-id use-interface-description
4.
To specify that the circuit ID suboption value contains the VLAN ID rather than
the VLAN name (the default):
user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id
5.
To specify that the remote ID suboption is included in the DHCP option 82

information:
user@switch# set vlan employee dhcp-option82 remote-id
6.
1158
To configure a prefix for the remote ID suboption (here, the prefix is the MAC

user@switch# set vlan employee dhcp-option82 remote-id prefix mac
7.
To specify that the prefix for the remote ID suboption is the hostname of the
switch rather than the MAC address of the switch (the default):
user@switch# set vlan employee dhcp-option82 remote-id prefix hostname
8.
To specify that the remote ID suboption value contains the interface description:
user@switch# set vlan employee dhcp-option82 remote-id use-interface-description
9.
To specify that the remote ID suboption value contains a character string:

user@switch# set vlan employee dhcp-option82 remote-id use-string mystring
10. To configure a vendor ID suboption and use the default value (the default value
is Juniper), do not type a character string after the vendor-id option keyword:
user@switch# set vlan employee dhcp-option82 vendor-id
11. To specify that the vendor ID suboption value contains a character string value
that you specify rather than Juniper (the default):

user@switch# set vlan employee dhcp-option82 vendor-id mystring
the user prompt.
Related Topics


1078
1159
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and
DHCP Server (CLI Procedure)
client.
You can configure the DHCP option 82 feature in two topologies:
The switch functions as a relay agent when the DHCP clients or the DHCP server
is connected to the switch through a Layer 3 interface. On the switch, these
interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays
the clients' requests to the server and then forwards the server's replies to the
clients. This topic describes this configuration.
The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch
forwards the clients' requests to the server and forwards the server's replies to
the clients. This configuration is described in Setting Up DHCP Option 82 on
the Switch with No Relay Agent Between Clients and DHCP Server (CLI
Before you configure DHCP option 82 on the switch, perform these tasks:
Connect and configure the DHCP server.
NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server
is not configured for DHCP option 82, the server does not use the DHCP option 82
information in the requests sent to it when it formulates its reply messages.
1160
Configure the VLAN on the switch and associate the interfaces on which the
clients connect to the switch with that VLAN.
Configure the routed VLAN interface (RVI) to allow the switch to relay packets
to the server and receive packets from the server. See Configuring Routed VLAN
Interfaces (CLI Procedure) on page 547.
Configure the switch as a BOOTP relay agent. See DHCP/BOOTP Relay for EX
Series Switches Overview on page 764.
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)
1.
Specify DHCP option 82 for the BOOTP server:
On all interfaces that connect to the server:

user@switch# set dhcp-option82
On a specific interface that connects to the server:

user@switch# set interface ge-0/0/10 dhcp-option82
The remaining steps are optional. They show configurations for all interfaces;
include the specific interface designation to configure any of the following
options on a specific interface:
2.
To configure a prefix for the circuit ID suboption (the prefix is always the
hostname of the switch):
user@switch# set dhcp-option82 circuit-id prefix hostname
3.
To specify that the circuit ID suboption value contains the interface description
rather than the interface name (the default):
user@switch# set dhcp-option82 circuit-id use-interface-description
4.
To specify that the circuit ID suboption value contains the VLAN ID rather than
the VLAN name (the default):
user@switch# set dhcp-option82 circuit-id use-vlan-id
5.
To specify that the remote ID suboption is included in the DHCP option 82

information:
user@switch# set dhcp-option82 remote-id
6.
To configure a prefix for the remote ID suboption (here, the prefix is the MAC
user@switch# set dhcp-option82 remote-id prefix mac
1161
7.
To specify that the prefix for the remote ID suboption is the hostname of the
switch rather than the MAC address of the switch (the default):
user@switch# set dhcp-option82 remote-id prefix hostname
8.
To specify that the remote ID suboption value contains the interface description:
user@switch# set dhcp-option82 remote-id use-interface-description
9.
To specify that the remote ID suboption value contains a character string:

user@switch# set dhcp-option82 remote-id use-string mystring
10. To configure a vendor ID suboption and use the default value (the default value
is Juniper), do not type a character string after the vendor-id option keyword:
user@switch# set dhcp-option82 vendor-id
11. To specify that the vendor ID suboption value contains a character string value
that you specify rather than Juniper (the default):

user@switch# set dhcp-option82 vendor-id mystring
the user prompt.
Related Topics
1162


1078
Enabling Dynamic ARP Inspection (CLI Procedure)

Dynamic ARP inspection (DAI) protects EX Series switches against ARP spoofing.
poisoning.
disabled for all VLANs.
To enable dynamic ARP inspection (DAI) on a VLAN or all VLANs using the CLI:

On all VLANs:
user@switch# set vlan all arp-inspection
Related Topics

Verifying That DAI Is Working Correctly on page 1182
Enabling Dynamic ARP Inspection (CLI Procedure)
1163
Enabling Dynamic ARP Inspection (J-Web Procedure)

Dynamic ARP inspection (DAI) protects EX Series switches against ARP spoofing.
poisoning.
disabled for all VLANs.
To enable DAI on one or more VLANs by using the J-Web interface:
1.
2.
Select one or more VLANs from the VLAN list.
3.
4.
Select the Enable ARP Inspection on VLAN check box and then click OK.
5.
Related Topics
1164

Enabling Dynamic ARP Inspection (J-Web Procedure)
Configuring MAC Limiting (CLI Procedure)

MAC limiting protects against flooding of the Ethernet switching table on the EX
Series switch. MAC limiting sets a limit on the number of MAC addresses that can
be learned on a single Layer 2 access interface (port).
Maximum number of dynamic MAC addresses allowed per interfaceWhen the

limit is exceeded, incoming packets with new MAC addresses are dropped.
Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned and the switch logs
the message.
NOTE: If you do not want the switch to log messages received for invalid MAC
addresses on an interface that has been configured for specific allowed MAC
addresses, you can disable the logging by configuring the no-allowed-mac-log statement.
You configure MAC limiting per interface, not per VLAN. You can specify the
maximum number of dynamic MAC addresses that can be learned on a single Layer
2 access interface or on all Layer 2 access interfaces.
You can choose to have one of the following actions performed when the limit of
MAC addresses is exceeded:
log entry.
noneTake no action.

port-error command.
To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
1.
For limiting the number of dynamic MAC addresses, set a MAC limit of 5.
The action is not specified, so the switch performs the default action drop if the
limit is exceeded:

user@switch# set interface ge0/0/1 mac-limit 5
1165
On all interfaces:
user@switch# set interface all maclimit 5
2.
For specifying specific allowed MAC addresses:

On all interfaces:
Related Topics
1166

on page 1094
Verifying That MAC Limiting Is Working Correctly on page 1183

no-allowed-mac-log
Configuring MAC Limiting (J-Web Procedure)

MAC limiting protects against flooding of the Ethernet switching table on an EX Series
switch. MAC limiting sets a limit on the number of MAC addresses that can be learned
on a single Layer 2 access interface (port).
Maximum number of dynamic MAC addresses allowed per interfaceIf the limit
is exceeded, incoming packets with new MAC addresses are dropped.
that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. You can specify
the maximum number of dynamic MAC addresses that can be learned on a single
Layer 2 access interface or on all Layer 2 access interfaces. The default action that
the switch will take if that maximum number is exceeded is dropdrop the packet
and generate an alarm, an SNMP trap, or a system log entry.
To enable MAC limiting on one or more interfaces using the J-Web interface:
1.
2.
Select one or more interfaces from the Interface List.
3.
Click the Edit button. If a message appears asking whether you want to enable
port security, click Yes.
4.
To set a dynamic MAC limit:
5.
1.
Type a limit value in the MAC Limit box.
2.
Select an action from the MAC Limit Action box (optional). The switch takes
this action when the MAC limit is exceeded. If you do not select an action,
the switch applies the default action, drop.
LogGenerate a system log entry, an SNMP trap, or an alarm.
DropDrop the packets and generate a system log entry, an SNMP trap,
or an alarm. (Default)
ShutdownShut down the VLAN and generate an alarm. You can

mitigate the effect of this option by configuring the switch for
autorecovery from the disabled state and specifying a disable timeout
value. See Configuring Autorecovery From the Disabled State on Secure
or Storm Control Interfaces (CLI Procedure) on page 558. If you have
not configured autorecovery from the disabled state, you can bring up
the interfaces by running the clear ethernet-switching port-error command.
To add allowed MAC addresses:

1.
Click Add.
2.
Type the allowed MAC address and click OK.
1167
Repeat this step to add more allowed MAC addresses.

6.
Click OK when you have finished setting MAC limits.
7.
Click OK after the configuration has been successfully delivered.
(ports), a message asking whether you want to enable port security appears.
Related Topics
1168

on page 1094
Configuring MAC Move Limiting (CLI Procedure)

MAC move limiting detects MAC address movement and MAC address spoofing on
access ports. MAC address movements are tracked, and if a MAC address moves
more than the configured number of times within one second, the configured (or
default) action is performed. You enable this feature on VLANs.
NOTE: Although you enable this feature on VLANs, the MAC move limitation pertains
to the number of movements for each individual MAC address rather than the total
number of MAC address moves in the VLAN. For example, If the MAC move limit is
set to 1, the switch allows an unlimited number of MAC address movements within
the VLAN as long as the same MAC address does not move more than once.
You configure MAC move limiting per VLAN, not per interface (port). In the default
configuration, the number of MAC moves permitted is unlimited.
You can choose to have one of the following actions performed when the MAC move
limit is exceeded:
log entry.
noneTake no action.
shutdownDisable the interfaces in the VLAN and generate an alarm. If you have
configured the switch with the port-error-disable statement, the disabled interfaces
recover automatically upon expiration of the specified disable timeout. If you

have not configured the switch for autorecovery from port error disabled
conditions, you can bring up the disabled interfaces by running the clear
ethernet-switching port-error command.
1169
To configure a MAC move limit for MAC addresses within a specific VLAN or for MAC
addresses within all VLANs, using the CLI:
On a single VLAN: To limit the number of MAC address movements that can be
made by an individual MAC address within the VLAN employee-vlan, set a MAC
move limit of 5:
user@switch# set vlan employeevlan mac-move-limit 5
The action is not specified, so the switch performs the default action drop if it
tracks that an individual MAC address within the employee-vlan has moved more
than 5 times within one second.
On all VLANs: To limit the number of MAC movements that can be made by
individual MAC addresses within all VLANs, set a MAC move limit of 5:
set vlan all macmove-limit 5
The action is not specified, so the switch performs the default action drop if it
tracks that an individual MAC address within any of the VLANs has moved more
than 5 times within one second.
Related Topics
1170
Verifying That MAC Move Limiting Is Working Correctly on page 1188

Configuring MAC Move Limiting (J-Web Procedure)

MAC move limiting detects MAC address movement and MAC address spoofing on
access ports. MAC address movements are tracked, and if a MAC address moves
more than the configured number of times within one second, the configured (or
default) action is performed. You enable this feature on VLANs.
NOTE: Although you enable this feature on VLANs, the MAC move limitation pertains
to the number of movements for each individual MAC address rather than the total
number of MAC address moves in the VLAN. For example, If the MAC move limit is
set to 1, the switch allows an unlimited number of MAC address movements within
the VLAN as long as the same MAC address does not move more than once.
In the default configuration, the MAC move limit within each VLAN is unlimited; the
default action that the switch will take if the specified MAC move limit is exceeded
is drop.
To enable MAC move limiting for MAC addresses within one or more VLANs by using
the J-Web interface:
1.
2.
Select one or more VLANs from the VLAN List.
3.
Click the Edit button. If a message appears asking whether you want to enable
port security, click Yes.
4.
To set a MAC move limit:

1.
Type a limit value in the MAC Movement box.
2.
Select an action from the MAC Movement Action box (optional). The switch
takes this action when an individual MAC address exceeds the MAC move
limit. If you do not select an action, the switch applies the default action,
drop.
Select one:
LogGenerate a system log entry, an SNMP trap, or an alarm.
DropDrop the packets and generate a system log entry, an SNMP trap,
or an alarm. (Default)
ShutdownShut down the VLAN and generate an alarm. You can

mitigate the effect of this option by configuring the switch for
autorecovery from the disabled state and specifying a disable timeout
value. See Configuring Autorecovery From the Disabled State on Secure
or Storm Control Interfaces (CLI Procedure) on page 558. If you have
not configured autorecovery from the disabled state, you can bring up
the interfaces by running the clear ethernet-switching port-error command.
Configuring MAC Move Limiting (J-Web Procedure)
1171
3.
5.
Click OK.
Click OK after the configuration has been successfully delivered.
status is shown as Disabled when you try to edit settings for any VLANs, a message
asking whether you want to enable port security appears.
Related Topics
If you set a MAC limit in your port security settings to apply to all interfaces on the
EX Series switch, you can override that setting for a particular interface by specifying
action none.
To use the none action to override a MAC limit setting:
1.
Set the MAC limitfor example, a limit of 5 with action drop:

user@switch# set interface all mac-limit 5 action drop
2.
Then change the action for one interface (here, ge-0/0/2) with this command.
You don't need to specify a limit value.
user@switch# set interface ge0/0/2 mac-limit action none
Related Topics
1172
Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
Configuring IP Source Guard (CLI Procedure)

You can use the IP source guard access port security feature on EX Series switches
to mitigate the effects of source IP address spoofing and source MAC address spoofing.
If IP source guard determines that a host connected to an access interface has sent
a packet with an invalid source IP address or source MAC address in the packet
header, it ensures that the switch does not forward the packetthat is, the packet
is discarded.
You enable the IP source guard feature on VLANs. You can enable it on a specific
VLAN, on all VLANs, or on a VLAN range.
NOTE: IP source guard applies only to access interfaces and only to untrusted
interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or
an interface set to dhcp-trusted, the CLI shows an error when you try to commit the
configuration.
Before you configure IP source guard, be sure that you have:
Enabled DHCP snooping on the VLAN or VLANs on which you will configure IP source
guard. See Enabling DHCP Snooping (CLI Procedure) on page 1154.
1173
To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged
VLANs) by using the CLI:
On a specific VLAN:
user@switch#set vlan default ip-source-guard
On all VLANs:
user@switch# set vlan all ip-source-guard
On a VLAN range:
1.
Set the VLAN range (the VLAN name is employee):

[edit vlans]
user@switch# set employee vlan-range 100-101
2.
Associate an interface with a VLAN-range number (100 in the following

example) and set the port mode to access:
[edit interfaces]
vlan members 100
3.
Enable IP source guard on the VLAN employee:

user@switch# set vlan employee ip-source-guard
NOTE: You can use the no-ip-source-guard statement to disable IP source guard for a
specific VLAN after you have enabled the feature for all VLANs.
the user prompt.
Related Topics
1174
Verifying That IP Source Guard Is Working Correctly on page 1188



1082
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the
DHCP snooping database. These bindings are labeled as static in the database,
while those bindings that have been added through the process of DHCP snooping
are labeled dynamic.
To configure a static IP address/MAC address binding in the DHCP snooping database,
by using the CLI:

user@switch#set interface ge-0/0/2 static-ip 10.0.10.12 vlan
00:05:85:3A:82:80
data-vlan
mac
the user prompt.
Related Topics

1067
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
1175
Configuring Unrestricted Proxy ARP (CLI Procedure)

You can configure unrestricted proxy ARP on your EX Series switch to increase
security by forcing hosts to send and receive communications through the switch
rather than exchange communications directly. When you enable proxy ARP on an
EX Series switch, it operates in unrestricted mode. This is the only mode available,
and this setting applies globally to all interfaces on the switch. Therefore, when proxy
ARP is enabled, even hosts within the same VLAN must send and receive
communications through the switch.
BEST PRACTICE: We recommend that you disable gratuitous ARP requests on each
of the interfaces on the switch. If gratuitous ARP requests are not disabled, the switch
responds to all ARP requests, including gratuitous ARP requests.
The following procedure shows the configuration of only a few interfaces. Typically
you would disable gratuitous ARP on all switch interfaces. It is sufficient to configure
unrestricted proxy ARP on a single interface, because it applies globally to all the
interfaces. However, you must disable gratuitous ARP on all the interfaces that you
want to use for unrestricted proxy ARP messages.
To configure unrestricted proxy ARP:
1.
Configure proxy ARP on a single interface:

[edit]
user@switch# set interfaces ge-0/0/3 unit 0 proxy-arp
2.
Disable gratuitous ARP on each of the interfaces:

[edit interfaces]
Related Topics
1176

1142
Verifying That Unrestricted Proxy ARP Is Working Correctly on page 1190
Configuring Unrestricted Proxy ARP (CLI Procedure)

An Ethernet switching access interface on an EX Series switch might shut down or
be disabled as a result of one of the following port-security or storm-control
configurations:
MAC limitingmac-limit statement is configured with action shutdown.
MAC move limitingmac-move-limit statement is configured with action shutdown.
Storm controlstorm-control statement is configured with the action shutdown.
You can configure the switch to automatically restore the disabled interfaces to service
after a specified period of time. Autorecovery applies to all the interfaces that have
been disabled due to MAC limiting, MAC move limiting, or storm control errors.
NOTE: You must specify the disable timeout value for the interfaces to recover
automatically. There is no default disable timeout. If you do not specify a timeout
value, you need to use the clear ethernet-switching port-error command to clear the
errors and restore the interfaces or the specified interface to service.
To configure autorecovery from the disabled state due to MAC limiting, MAC move
limiting, or storm control shutdown actions:
user@switch# set port-error-disable disable-timeout 60
Related Topics

1177
1178
Chapter 58
Verifying Port Security
Verifying That the Port Error Disable Setting Is Working Correctly on page 1189
Monitoring Port Security

Purpose
Action
Use the monitoring functionality to view these port security details:
DHCP snooping database for a VLAN or all VLANs
ARP inspection details for all interfaces
To monitor port security in the J-Web interface, select Monitor > Security > Port
Security.
To monitor and manipulate the DHCP snooping database and ARP inspection statistics
in the CLI, enter the following commands:
clear dhcp snooping bindingIn addition to clearing the whole database, you can
clear database entries for specified VLANs or MAC addresses.
Meaning
clear arp inspection statistics
The J-Web Port Security Monitoring page comprises two sections:
DHCP SnoopingDisplays the DHCP snooping database for all the VLANs for
which DHCP snooping is enabled. To view the DHCP snooping database for a
specific VLAN, select the specific VLAN from the list.
Monitoring Port Security
1179
ARP InspectionDisplays the ARP inspection details for all interfaces. The
information includes details of the number of packets that passed ARP inspection
and the number of packets that failed the inspection. The pie chart graphically
represents these statistics when you select an interface. To view ARP inspection
statistics for a specific interface, select the interface from the list.
You have the following options on the page:
Clear ALLClears the DHCP snooping database, either for all VLANs if the option
ALL has been selected in the Select VLANs list or for the specific VLAN that has
been selected in that list.
ClearDeletes a specific IP address from the DHCP snooping database.
To clear ARP statistics on the page, click Clear All in the ARP Statistics section.
Use the CLI commands to show and clear DHCP snooping database and ARP
inspection statistics details.
Related Topics
Verifying That DHCP Snooping Is Working Correctly

Purpose
Action
Verify that DHCP snooping is working on the switch and that the DHCP snooping
database is correctly populated with both dynamic and static bindings.
leases:
Meaning
1180
user@switch>
MAC address
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88
employee
employee
employee
employee
employee
data
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0
192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
192.0.2.21
192.0.2.22
600
653
720
932
1230
dynamic
dynamic
dynamic
dynamic
dynamic
static
Verifying That DHCP Snooping Is Working Correctly
Chapter 58: Verifying Port Security
the lease expires. Static IP addresses have no assigned lease time. The statically
configured entry never expires.
MAC address
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88
employee
employee
employee
employee
employee
data
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
192.0.2.22
dynamic
dynamic
dynamic
dynamic
dynamic
static
In the preceding output sample, IP addresses and lease times are not assigned to the
dynamically learned bindings because the DHCP clients do not have a trusted server
to which they can send requests. In the database, the clients' MAC addresses are
shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address
column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics


Verifying That a Trusted DHCP Server Is Working Correctly

Purpose
Action
Verify that a DHCP trusted server is working on the switch. See what happens when
the DHCP server is trusted and then untrusted.
leases:
Verifying That a Trusted DHCP Server Is Working Correctly
1181

MAC Address
IP Address
Lease
-----------------------------00:05:85:3A:82:77
192.0.2.17
600
00:05:85:3A:82:79
192.0.2.18
653
00:05:85:3A:82:80
192.0.2.19
720
00:05:85:3A:82:81
192.0.2.20
932
00:05:85:3A:82:83
192.0.2.21
1230
00:05:85:27:32:88
192.0.2.22
3200
Meaning
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
the lease expires.
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).
Related Topics

Verifying That DAI Is Working Correctly

Purpose
1182
Verify that dynamic ARP inspection (DAI) is working on the switch.
Verifying That DAI Is Working Correctly
Action
Interface
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2
ge-0/0/2.0
10
10
0
ge-0/0/3.0
12
12
0
Meaning
Related Topics

Verifying That MAC Limiting Is Working Correctly

MAC limiting protects against flooding of the Ethernet switching table. MAC limiting
sets a limit on the number of MAC addresses that can be learned on a single Layer
2 access interface (port).
Maximum number of dynamic MAC addresses allowed per interfaceWhen the

limit is exceeded, incoming packets with new MAC addresses are dropped.
that is not in the list of configured addresses is not learned.
To verify MAC limiting configurations:

1. Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
2. Verifying That Allowed MAC Addresses Are Working Correctly on page 1184
Verifying That MAC Limiting Is Working Correctly
1183
3. Verifying Results of Various Action Settings When the MAC Limit Is

Exceeded on page 1185
4. Customizing the Ethernet Switching Table Display to View Information for a
Specific Interface on page 1187
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Purpose
Action
Verify that MAC limiting for dynamic MAC addresses is working on the switch.
Display the MAC addresses that have been learned. The following sample output
shows the results when two packets were sent from hosts on ge-0/0/1 and five
packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a
MAC limit of 4 with the action drop:
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Flood
Learn
Learn
Learn
Learn
Learn
Learn
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The sample output shows that with a MAC limit of 4 for each interface, the packet
for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit.
The address was not learned, and thus an asterisk (*) rather than an address appears
in the MAC address column in the first line of the sample output.
Verifying That Allowed MAC Addresses Are Working Correctly

Purpose
Action

Display the MAC cache information after allowed MAC addresses have been configured
on an interface. The following sample shows the MAC cache after 5 allowed MAC
addresses had been configured on interface ge/0/0/2. In this instance, the interface
was also set to a dynamic MAC limit of 4 with action drop.
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
1184
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Learn
Learn
Learn
Learn
Flood
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Because the MAC limit value for this interface had been set to 4, only four of the five
configured allowed addresses were learned and thus added to the MAC cache. Because
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
the fifth address was not learned, an asterisk (*) rather than an address appears in
the MAC address column in the last line of the sample output.
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Purpose
Action
Verify the results provided by the various action settings for MAC limitsdrop, log,
none, and shutdownwhen the limits are exceeded.
Display the results of the various action settings.
NOTE: You can view log messages by using the show log messages command. You
can also have the log messages displayed by configuring the monitor start messages
with the monitor start messages command.
drop actionFor MAC limiting configured with a drop action and with the MAC
limit set to 5:
user@switch>

VLAN
MAC address
Type
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:80
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:81
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:83
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:85
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:88
Learn
ge-0/0/2.0
log actionFor MAC limiting configured with a log action and with MAC limit
set to 5:
VLAN
MAC address
Type
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:80
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:81
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:82
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:83
Learn
ge-0/0/2.0
1185
employeevlan
00:05:85:3A:82:84
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:85
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:87
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:88
Learn
ge-0/0/2.0
. . .
shutdown actionFor MAC limiting configured with a shutdown action and with
MAC limit set to 3:
VLAN
MAC address
Type
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:82
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:84
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:87
Learn
ge-0/0/2.0
none actionIf you set a MAC limit to apply to all interfaces on the switch, you
can override that setting for a particular interface by specifying this action for
that interface. See Setting the none Action on an Interface to Override a MAC
Limit Applied to All Interfaces (CLI Procedure) on page 1172.
Meaning
For the drop action resultsThe sixth MAC address exceeded the MAC limit. The
request packet for that address was dropped. Only five MAC addresses have been
learned on ge-0/0/2.
For the log action resultsThe sixth MAC address exceeded the MAC limit. No MAC
addresses were blocked.
For the shutdown action resultsThe fourth MAC address exceeded the MAC limit.
Only three MAC addresses have been learned on ge-0/0/2. The interface ge-0/0/1
is shut down.
For more information about interfaces that have been shut down, use the show
ethernet-switching interfaces command.
Interface
State VLAN members
Tag
Tagging
1186
Blocking
bme0.32770
down
mgmt
untagged unblocked
ge-1/0/0.0
down
v1
untagged MAC limit exceeded
ge-1/0/1.0
up
v1
untagged unblocked
ge-1/0/2.0
up
v1
untagged unblocked
me0.0
up
mgmt
untagged unblocked
NOTE: You can configure the switch to recover automatically from this type of error
condition by specifying the port-error-disable statement with a disable timeout value.
The switch automatically restores the disabled interface to service when the disable
timeout expires. The port-error-disable configuration does not apply to pre-existing
error conditions. It impacts only error conditions that are detected after
port-error-disable has been enabled and committed. To clear a pre-existing error
condition and restore the interface to service, use the clear ethernet-switching port-error
command.
Customizing the Ethernet Switching Table Display to View Information for a Specific
Interface
Purpose
Action
You can use the show ethernet-switching table command to view information for a
specific interface.
For example, to display the MAC addresses that have been learned on ge-0/0/2
interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0
Meaning
Related Topics
VLAN
MAC address
Type
v1
Flood
v1
00:00:06:00:00:00 Learn
Age Interfaces
- All-members
0 ge-2/0/0.0
The MAC limit value for ge-0/0/2 had been set to 1, and the output shows that only
one MAC address was learned and thus added to the MAC cache. An asterisk (*)
rather than an address appears in the MAC address column in the first line of the
sample output.


on page 1094
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
1187
Verifying That MAC Move Limiting Is Working Correctly

Purpose
Action
Verify that MAC move limiting is working on the switch.

Display the MAC addresses in the Ethernet switching table when MAC move limiting
has been configured for a VLAN. The following sample shows the results after two
of the hosts on ge-0/0/2 sent packets after the MAC addresses for those hosts had
moved to other interfaces more than five times in 1 second. The VLAN, employee-vlan,
was set to a MAC move limit of 5 with the action drop:
user@switch>

VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*
Learn
Learn
Learn
Learn
Flood
Flood
Age
Interfaces
0
0
0
0
-
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The last two lines of the sample output show that MAC addresses for two hosts on
ge-0/0/2 were not learned, because the hosts had been moved back and forth from
the original interfaces more than five times in 1 second.
NOTE: For descriptions of the results of the various action settingsdrop, log, none,
and shutdownsee Verifying That MAC Limiting Is Working Correctly on page 1183.
Related Topics

Verifying That IP Source Guard Is Working Correctly

Purpose
1188
Verify that IP source guard is enabled and is mitigating the effects of any source IP
spoofing attacks on the EX Series switch.
Verifying That MAC Move Limiting Is Working Correctly
Action
Meaning
Related Topics
Display the IP source guard database.

Interface
Tag IP Address
MAC Address
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
ge0/0/13.0
100
voice

Purpose
Action
Verify that the port error disable setting is working as expected on MAC limited, MAC
move limited and rate-limited interfaces on an EX Series switch.
Display information about interfaces:
Interface
State
VLAN members
ge-0/0/0.0 up
T1122
ge-0/0/1.0 down
default
ge-0/0/2.0 down
default
ge-0/0/3.0 down
default
ge-0/0/4.0 down
default
ge-0/0/5.0 down
default
ge-0/0/6.0 down
default
ge-0/0/7.0 down
default
ge-0/0/8.0 down
default
ge-0/0/9.0 up
T111
ge-0/0/10.0 down
default
ge-0/0/11.0 down
default
ge-0/0/12.0 down
default
ge-0/0/13.0 down
default
ge-0/0/14.0 down
default
ge-0/0/15.0 down
default
ge-0/0/16.0 down
default
ge-0/0/17.0 down
default
ge-0/0/18.0 down
default
ge-0/0/19.0 up
T111
ge-0/1/0.0 down
default
ge-0/1/1.0 down
default
ge-0/1/2.0 down
default
ge-0/1/3.0 down
default
Blocking
unblocked
MAC limit exceeded
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
1189
Meaning
The sample output from the show ethernet-switching interfaces command shows that
three of the down interfaces specify the reason that the interface is disabled:
MAC limit exceededThe interface is temporarily disabled due to a mac-limit
error. The disabled interface is automatically restored to service when the

disable-timeout expires.
mac-move-limit error. The disabled interface is automatically restored to service

Storm control in efffect The interface is temporarily disabled due to a
storm-control error. The disabled interface is automatically restored to service

Related Topics

Verifying That Unrestricted Proxy ARP Is Working Correctly

Purpose
Action
Verify that the switch is sending proxy ARP messages.

List the system statistics for ARP:
arp:
47 ARP replys sent
1190
0
0
0
0
Meaning
new requests on unnumbered interfaces

replies for from unnumbered interfaces
requests on unnumbered interface with non-subnetted donor
replies from unnumbered interface with non-subnetted donor
The output shows that all the unproxied ARP requests received have been proxied
by the switch.
1191
1192
Chapter 59

Troubleshooting issues for port security on EX Series switches:
No IP Address or Lease Time Is Assigned to DHCP Client MAC Addresses in the

DHCP Snooping Database on page 1193
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed
in the Ethernet Switching Table on page 1194
No IP Address or Lease Time Is Assigned to DHCP Client MAC Addresses in the DHCP
Snooping Database
Problem
DHCP snooping is enabled on the switch, but no IP addresses or lease times are
assigned to the DHCP clients when they send requests to the DHCP server. The output
of the DHCP snooping database looks similar to the following:
MAC address
IP address Lease (seconds)
----------------- ---------- ----00:05:85:3A:82:77 0.0.0.0
00:05:85:3A:82:79 0.0.0.0
00:05:85:3A:82:80 0.0.0.0
00:05:85:3A:82:81 0.0.0.0
-
Type
---dynamic
dynamic
dynamic
dynamic
VLAN
---employee
employee
employee
employee
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
In the database output sample, the clients' MAC addresses are shown with no assigned
IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the
lease time is shown as a dash in the Lease column).
Solution
The DHCP clients are sending requests to a DHCP server that is untrustedthat is,
the server is connected to the switch through an untrusted interface.
To set the server interface as trusted and obtain IP addresses with leases for the
DHCP clients:
1.
Set the interface as trusted.

user@switch# set interface ge-0/0/8 examine-dhcp
1193
2.
Send requests from the DHCP clients to the DHCP server.
Now display the DHCP snooping information. Requests were sent from the MAC
addresses, and the server has provided the IP addresses and leases:
MAC address
IP address Lease (seconds)
----------------- ---------- ----00:05:85:3A:82:77 192.0.2.17 600
00:05:85:3A:82:79 192.0.2.18 653
00:05:85:3A:82:80 192.0.2.19 720
00:05:85:3A:82:81 192.0.2.20 932
Type
---dynamic
dynamic
dynamic
dynamic
VLAN
---employee
employee
employee
employee
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the
Ethernet Switching Table
Problem
You see log messages telling you that the MAC limit or MAC move limit has been
exceeded, but the specific offending MAC addresses that have been exceeding the
limit are not listed in the Ethernet switching table.
Solution
1.
Set the MAC limit or MAC move limit action to log.

user@switch# set interface ge-0/0/2 mac-limit 5 action log
2.
Allow some MAC address requests to come in.
3.
View the entries in the Ethernet switching table:

user@switch# show ethernet-switching table
Related Topics
1194
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table
Chapter 60
Configuration Statements for Port

Security

analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100]) ;
}
no-mac-learning;
}
}
1195
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
}
1196
Chapter 60: Configuration Statements for Port Security
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Related Topics
on page 574

helpers {
bootp {
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
interface {
interface-name {
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
1197
use-string string;
}
vendor-id <string>;
}
}
}
}
}
Related Topics
1198


1078
For more information about the [edit forwarding-options] hierarchy and all its
options, see the JUNOS Software Policy Framework Configuration Guide at
action-shutdown
Syntax
Hierarchy Level
Release Information
Description
Default

Related Topics
action-shutdown;
[edit ethernet-switching-options storm-control]

Shut down or disable interfaces when the storm control level is exceeded, as follows:
If you set both the action-shutdown and the port-error-disable statements, the
interfaces are disabled temporarily and recover automatically when the disable
timeout expires.
If you set the action-shutdown statement and do not the specify the
port-error-disable statement, the interfaces that are enabled for storm control are
shut down when the storm control level is exceeded and they do not recover
automatically from that port-error condition. You must issue the clear
ethernet-switching port-error command to clear the port error and restore the
interfaces to service.
The action-shutdown option is not enabled. When the storm control level is exceeded,
the switch drops unknown unicast and broadcast messages on the specified interfaces.
port-error-disable
disable-timeout
clear ethernet-switching port-error


action-shutdown
1199
allowed-mac
Syntax
Hierarchy Level
Release Information
Description
allowed-mac {
mac-address-list;
}
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]

Specify particular MAC addresses to be added to the MAC address cache.
NOTE: Although this configuration restricts the addresses that can be added to the
MAC address cache, it does not block the switch from receiving Layer 2 control
packetssuch as Link Layer Discovery Protocol (LLDP) packetstransmitted from
MAC addresses that are not specified in the list of allowed MAC addresses. Control
packets do not undergo the MAC address check and they are therefore included in
the statistics of packets received. However, they are not forwarded to another
destination. They are trapped within the switch.
Default
Allowed MAC addresses take precedence over dynamic MAC values that have been
applied with the mac-limit statement.
Options
mac-address-listOne or more MAC addresses configured as allowed MAC addresses
for a specified interface or all interfaces.

Related Topics
1200
allowed-mac

mac-limit

on page 1094
arp-inspection
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]

Perform dynamic ARP inspection on all VLANs or on the specified VLAN.
arp-inspectionEnable ARP inspection.
no-arp-inspectionDisable ARP inspection.
Disabled.

arp-inspection
1201
circuit-id
Syntax
Hierarchy Level
Release Information
Description
circuit-id {
prefix hostname;
use-vlan-id;
}
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82]
[edit forwarding-options helpers bootp dhcp-option82]
[edit forwarding-options helpers bootp interface interface-name dhcp-option82]

Configure the circuit-id suboption (suboption 1) of DHCP option 82 (the DHCP relay
agent information option) in DHCP packets destined for a DHCP server. This suboption
identifies the circuit (interface and/or VLAN) on which the DHCP request arrived.
The format of the circuit-id information for Gigabit Ethernet interfaces that use VLANs
is interface-name:vlan-name . On a Layer 3 interface, the format is just interface-name.
Default

Related Topics
1202
circuit-id
If DCHP option 82 is enabled on the switch, the circuit ID is supplied by default in

the format interface-name:vlan-name or, on a Layer 3 interface, just interface-name
.


dhcp-option82
Syntax
Hierarchy Level
Release Information
Description
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
[edit forwarding-options helpers bootp interface interface-name]

When the switch receives a DHCP request from a DHCP client connected on one of
the switch's interfaces, have the switch insert DHCP option 82 (also known as the
DHCP relay agent information option) information in the DHCP request packet header
before it forwards or relays the request to a DHCP server. The server uses the
option 82 information, which provides details about the circuit and host the request
came from, in formulating the reply; the server does not, however, make any changes
to the option 82 information in the packet header. The switch receives the reply and
then removes the DHCP option 82 information before forwarding the reply to the
client.
Default
Related Topics
Insertion of DHCP option 82 information is not enabled.



dhcp-option82
1203
dhcp-trusted
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
1204
dhcp-trusted

Allow DHCP responses from the specified interfaces (ports) or all interfaces.
dhcp-trustedAllow DHCP responses.
no-dhcp-trustedDeny DHCP responses.
Trusted for trunk ports, untrusted for access ports.


disable-timeout
Syntax
Hierarchy Level
Release Information
Description
[edit ethernet-switching-options port-error-disable]

Specify how long the Ethernet-switching interfaces remain in a disabled state due to
the MAC limiting, MAC move liming, or storm control errors.
Default
Options
timeout Amount of time, in seconds, that the disabled state remains in effect. The
disabled interface is automatically restored to service when the specified timeout

is reached.
Related Topics



disable-timeout
1205
Syntax
1206
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100)
}
no-mac-learning;
}
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
no-world-readable>;
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Hierarchy Level
[edit]
1207
Release Information
Description

Series switches.
switches.
EX Series switches.

Related Topics
1208

on page 574
examine-dhcp
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics

Enable DHCP snooping on all VLANs or on the specified VLAN.
examine-dhcpEnable DHCP snooping.
no-examine-dhcpDisable DHCP snooping.
Disabled.

examine-dhcp
1209
interface
Syntax
Hierarchy Level
Release Information
Description

allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}

static-ip introduced in JUNOS Release 9.2 for EX Series switches.
no-allowed-mac-log introduced in JUNOS Release 9.3 for EX Series switches.
Apply port security features to all interfaces or to the specified interface.
Options
allApply port security features to all interfaces.

interface-name Apply port security features to the specified interface.

Related Topics
1210
interface


on page 1094


ip-source-guard
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics

Perform IP source guard checking on packets sent from access interfaces. Validate
source IP addresses and source MAC addresses on all VLANs or on the specified
VLAN or VLAN range. Forward packets with valid addresses and drop those with
invalid addresses.
ip-source-guardEnable IP source guard checking.
no-ip-source-guardDisable IP source guard checking.
Disabled.


ip-source-guard
1211
mac
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
1212
mac
mac mac-address;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address vlan vlan-name]

Media access control (MAC) address, or hardware address, for the device connected
to the specified interface.
mac-address Value (in hexadecimal format) for address assigned to this device.


mac-limit
Syntax
Hierarchy Level
Release Information
Description


The default value for the action option was changed in JUNOS Release 9.5 for EX
Series switches.
The shutdown option was modified in JUNOS release 9.6 for EX Series switches.
Specify the number of MAC addresses to dynamically add to the MAC address cache
for this access interface (port) and the action to be taken by the switch if the MAC
address learning limit is exceeded on the interface (port).
Default
The default action is drop.
Options
limitMaximum number of MAC addresses.

action action(Optional) Action to take when the MAC address limit is exceeded:
log entry.
noneNo action.

port-error command.
Related Topics

allowed-mac

on page 1094
mac-limit
1213

mac-move-limit
Syntax
Hierarchy Level
Release Information
Description


The default value for the action option was changed in JUNOS Release 9.5 for EX
Series switches.
The shutdown option was modified in JUNOS release 9.6 for EX Series switches.
Specify the number of times a MAC address can move to a new interface (port) in 1
second and the action to be taken by the switch if the MAC address move limit is
exceeded.
Default
The default move limit is unlimited. The default action is drop.
Options
limitMaximum number of moves to a new interface per second.

action action(Optional) Action to take when the MAC address move limit is reached:
log entry.
noneNo action.
shutdownDisable the VLAN and generate an alarm. If you have configured the
switch with the port-error-disable statement, the disabled interfaces recover
port-error command.
Related Topics
1214
mac-move-limit

mac-limit

no-allowed-mac-log
Syntax
Hierarchy Level
Release Information
no-allowed-mac-log;
Description
Specify that the switch does not log messages when it receives packets from invalid
MAC addresses on an interface that has been configured for particular (allowed) MAC
addresses.
Default
The switch logs messages when it receives packets from invalid MAC addresses on
an interface that has been configured for particular (allowed) MAC addresses.

Related Topics

allowed-mac
no-allowed-mac-log
1215
no-gratuitous-arp-request
Syntax
Hierarchy Level
Release Information

Configure the switch not to respond to gratuitous ARP requests. You can disable
responses to gratuitous ARP requests on both Layer 2 Ethernet switching interfaces
and routed VLAN interfaces (RVIs).
Default
Gratuitous ARP responses are enabled on all Ethernet switching interfaces and RVIs.
Related Topics
Description
1216


1142
no-gratuitous-arp-request
prefix
Syntax
Hierarchy Level
Release Information
prefix hostname;
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82
circuit-id]
[edit forwarding-options helpers bootp dhcp-option82 circuit-id]
[edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id]
Description
Configure an optional prefix for the circuit ID suboption in the DHCP option 82
information that is inserted by the switch into the packet header of a DHCP request
before it forwards or relays the request to a DHCP server.
Default
If prefix is not explicitly specified, no prefix is appended to the circuit ID. When prefix
is specified, it is specified as prefix hostname (and the value is the hostname of the
switch).
Options
hostnameName of the host system (the switch) that is forwarding or relaying the
DHCP request from the DHCP client to the DHCP server.

Related Topics



prefix
1217
prefix
Syntax
Hierarchy Level
Release Information
Description

remote-id]
[edit forwarding-options helpers bootp dhcp-option82 remote-id]
[edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]

Configure an optional prefix for the remote ID suboption in the DHCP option 82
information that is inserted by the switch into the packet header of a DHCP request
before it forwards or relays the request to a DHCP server.
Default
If prefix is not explicitly specified, no prefix is appended to the remote ID.
Options
hostnameName of the host system (the switch) that is forwarding or relaying the

macMAC address of the host system (the switch) that is forwarding or relaying the

noneNo prefix is applied to the remote ID.
Related Topics
1218
prefix



proxy-arp
Syntax
Hierarchy Level
Release Information
Description
proxy-arp;
[edit interfaces interface-name unit logical-unit-number]

Configure the switch to respond to an ARP request as long as the switch has an active
route to the ARP requests target (destination). The destination address can be local
or remote. If you enable proxy ARP, it is automatically enabled in unrestricted mode.
NOTE: If proxy ARP is enabled on a single interface, it applies automatically to all

Ethernet switching interfaces on the switch.
Default

Related Topics
Proxy ARP is not enabled. The switch responds to an ARP request only if the IP
address of the destination device is configured on the switch.

1142
proxy-arp
1219
remote-id
Syntax
Hierarchy Level
Release Information
Description
remote-id {
use-string string;
}

Insert the remote-id suboption of DHCP option 82 (also known as the DHCP relay
agent information option) in DHCP request packet headers before forwarding or
relaying requests to a DHCP server. This suboption provides a trusted identifier for
the host system that has forwarded or relayed requests to the server.
Default

Related Topics
1220
remote-id
If remote-id is not explicitly set, no remote ID value is inserted in the DHCP request
packet header. If the remote-id option is specified but is not qualified by a keyword,
the MAC address of the host device (the switch) is used as the remote ID.


secure-access-port
Syntax
Hierarchy Level
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
}
}
Release Information

Options static-ip and ip-source-guard introduced in JUNOS Release 9.2 for EX Series
switches.
Options dhcp-option82 and no-allowed-mac-log introduced in JUNOS Release 9.3 for
EX Series switches.
Option dhcp-snooping-file introduced in JUNOS Release 9.4 for EX Series switches.
Description
Configure port security features, including MAC limiting and whether interfaces can
receive DHCP responses, and apply dynamic ARP inspection, DHCP snooping, IP
secure-access-port
1221
source guard, DHCP option 82, and MAC move limiting to no VLANs, specific VLANs,
or all VLANs.
Related Topics
1222






1067
secure-access-port
static-ip
Syntax
Hierarchy Level
Release Information
Description
Options
vlan vlan-name;
mac mac-address;
}
[edit ethernet-switching-options secure-access-port interface (all|interface-name)]

Static (fixed) IP address and static MAC address, with an associated VLAN, added to
the DHCP snooping database.
ip-address IP address assigned to a device connected on the specified interface.

Related Topics


static-ip
1223
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
no-world-readable>;
}

Define global tracing operations for access security features on Ethernet switches.
Default
The traceoptions feature is disabled by default.
Options
disable(Optional) Disable the tracing operation. You can use this option to disable
a single operation when you have defined a broad group of tracing operations,
such as all.
file filename Name of the file to receive the output of the tracing operation. Enclose
and so on, until the maximum number of trace files is reached ( xk to specify
KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace
file is overwritten. If you specify a maximum number of files, you also must
specify a maximum file size with the size option.
Default: 3 files
flag flag Tracing operation to perform. To specify more than one tracing operation,
1224
traceoptions
access-securityTrace access security events.
config-internalsTrace internal configuration operations.
forwarding-databaseTrace forwarding database and next-hop events.
generalTrace general events.
interfaceTrace interface events.
ip-source-guardTrace IP source guard events.
krtTrace communications over routing sockets.
libTrace library calls.
normalTrace normal events.
regex-parseTrace regular-expression parsing operations.
rtgTrace redundant trunk group events.
stateTrace state transitions.
stpTrace spanning-tree events.
taskTrace Ethernet-switching task processing.
timerTrace Ethernet-switching timer processing.
vlanTrace VLAN events.
no-stamp(Optional) Do not timestamp the trace file.
Default: If you omit this option, timestamp information is placed at the beginning
of each line of the tracing output.
no-world-readable(Optional) Restrict file access to the user who created the file.
replace(Optional) Replace an existing trace file if there is one rather than appending
to it.
Default: If you do not include this option, tracing output is appended to an
existing trace file.
size size (Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabyte
Default: 128 KB
Related Topics


1082
traceoptions
1225
use-interface-description
Syntax
Hierarchy Level
circuit-id]
[edit forwarding-options helpers bootp dhcp-option82 circuit-id]
[edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id]
remote-id]
Release Information
Description

Related Topics
1226

Use the interface description rather than the interface name (the default) in the circuit
ID or remote ID value in the DHCP option 82 information.


use-interface-description
use-string
Syntax
Hierarchy Level
Release Information
Description
Options
use-string string;
remote-id]

Use a string rather than the MAC address of the host system (the default) in the
remote ID value in the DHCP option 82 information.
string Character string used as the remote ID value.
Range: 1255 characters

Related Topics



use-string
1227
use-vlan-id
Syntax
Release Information
Description

Related Topics
1228
use-vlan-id
use-vlan-id;

Use the VLAN ID rather than the VLAN name (the default) in the circuit ID value in
the DHCP option 82 information.


vendor-id
Syntax
Hierarchy Level
Release Information
Description
vendor-id <string>;

Insert a vendor ID in the DHCP option 82 information in a DHCP request packet
header before forwarding or relaying the request to a DHCP server.
Default
If vendor-id is not explicitly configured for DHCP option 82, no vendor ID is set.
Options
string (Optional) A single string that designates the vendor ID.
Range: 1255 characters

Default: If you specify vendor-id with no string value, the default vendor ID Juniper
is configured.
Related Topics



vendor-id
1229
vlan
Syntax
Hierarchy Level

dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id <string>;
}
}
Release Information

Option ip-source-guard introduced in JUNOS Release 9.2 for EX Series switches.
Option dhcp-option82 introduced in JUNOS Release 9.3 for EX Series switches.
Description
Apply DHCP snooping, dynamic ARP inspection (DAI), IP source guard, DHCP option
82, and MAC move limiting.
Options
allApply DHCP snooping, DAI, IP source guard, DHCP option 82, and MAC move
limiting to all VLANs.

vlan-name Apply DHCP snooping, DAI, IP source guard, DHCP option 82, and MAC
move limiting to the specified VLAN.

1230
vlan

Related Topics


vlan
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
vlan vlan-name;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address]

Associate the static IP address with the specified VLAN associated with the specified
interface.
vlan-name Name of a specific VLAN associated with the specified interface.


vlan
1231
1232
vlan
Chapter 61
Operational Mode Commands for Port

Security
1233

Syntax
Release Information
Description
Related Topics

Output Fields
clear arp inspection
statistics
1234

Clear ARP inspection statistics.
clear
clear arp inspection statistics on page 1234

user@switch> clear arp inspection statistics
Chapter 61: Operational Mode Commands for Port Security
clear dhcp snooping binding

Syntax
Release Information
Description
Options

<mac (all | mac-address)>
<vlan (all | vlan-name)>
<vlan (all | vlan-name) mac (all | mac-address)>

Clear the DHCP snooping database information.
mac (all | mac-address )(Optional) Clear DHCP snooping information for the specified
MAC address or all MAC addresses.

vlan (all | vlan-name )(Optional) Clear DHCP snooping information for the specified
VLAN or all VLANs.

Related Topics

Output Fields
clear dhcp snooping
binding
clear
clear dhcp snooping binding on page 1235

user@switch> clear dhcp snooping binding
1235

Syntax
Release Information
Description
Related Topics

Output Fields

Display ARP inspection statistics.
view
show arp inspection statistics on page 1236

Table 153 on page 1236 lists the output fields for the show arp inspection statistics
Table 153: show arp inspection statistics Output Fields

Field Name
Field Description
Level of Output
Interface
Interface on which ARP inspection has been applied.
All levels
Packets received
Total number of packets total that underwent ARP inspection.
All levels
ARP inspection pass
Total number of packets that passed ARP inspection.
All levels
Total number of packets that failed ARP inspection.
All levels
show arp inspection

statistics

Interface
--------ge-0/0/0
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
1236
Packets received
----------------0
0
0
0
0
0
0
703
ARP inspection pass

------------------0
0
0
0
0
0
0
701

--------------------0
0
0
0
0
0
0
2

Syntax
Release Information
Description
Related Topics

Output Fields

Display the DHCP snooping database information.
view
show dhcp snooping binding on page 1237

Table 154 on page 1237 lists the output fields for the show dhcp snooping binding
Table 154: show dhcp snooping binding Output Fields

Field Name
Field Description
Level of Output
MAC Address
MAC address of the network device; bound to the IP address.
All levels
IP Address
IP address of the network device; bound to the MAC address.
All levels
Lease
Lease granted to the IP address.
All levels
Type
How the MAC address was acquired.
All levels
VLAN
VLAN name of the network device whose MAC address is shown.
All levels
Interface
Interface address (port).
All levels
show dhcp snooping

binding

MAC Address
IP Address
-------------------------00:00:01:00:00:03
192.0.2.0
00:00:01:00:00:04
192.0.2.1
00:00:01:00:00:05
192.0.2.5
Lease
----640
720
800
Type
------dynamic
dynamic
dynamic
VLAN
---guest
guest
guest
Interface
--------ge-0/0/12.0
ge-0/0/12.0
ge-0/0/13.0
1237

Syntax
Release Information
Description
Options

<brief | detail | extensive | summary>
<management-vlan>
<vlan (vlan-name)>

Options summary, management-vlan, and vlan vlan-name introduced in JUNOS Release
Displays the Ethernet switching table.
none(Optional) Display brief information about the Ethernet switching table.
brief | detail | extensive | summary(Optional) Display the specified level of output.
management-vlan(Optional) Display the Ethernet switching table for a management
VLAN.
interface-name(Optional) Display the Ethernet switching table for a specific interface.
vlan vlan-name(Optional) Display the Ethernet switching table for a specific VLAN.
Related Topics
Output Fields
view
483

page 490
show
show
show
show
show
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
table
table
table
table
table
on page 1239
brief on page 1239
detail on page 1240
interface ge-0/0/1 on page 1243
Table 88 on page 731 lists the output fields for the show ethernet-switching table
Table 155: show ethernet-switching table Output Fields

Field Name
Field Description
Level of Output
VLAN
The name of a VLAN.
All levels
MAC address
The MAC address associated with the VLAN.
All levels
1238
Table 155: show ethernet-switching table Output Fields (continued)

Field Name
Field Description
Level of Output
Type
All levels
learnThe MAC address is learned dynamically from a packet's source
MAC address.
Age
The time remaining before the entry ages out and is removed from the Ethernet
switching table.
All levels
Interfaces
Interface associated with learned MAC addresses or All-members (flood entry).
All levels
Learned
For learned entries, the time which the entry was added to the
Ethernet-switching table.
detail, extensive
table
table brief

VLAN
MAC address
Type
F2
*
Flood
F2
00:00:05:00:00:03 Learn
F2
00:19:e2:50:7d:e0 Static
Linux
*
Flood
Linux
00:19:e2:50:7d:e0 Static
Linux
00:30:48:90:54:89 Learn
T1
*
Flood
T1
00:00:05:00:00:01 Learn
T1
00:00:5e:00:01:00 Static
T1
00:19:e2:50:63:e0 Learn
T1
00:19:e2:50:7d:e0 Static
T10
*
Flood
T10
00:00:5e:00:01:09 Static
T10
00:19:e2:50:63:e0 Learn
T10
00:19:e2:50:7d:e0 Static
T111
*
Flood
T111
00:19:e2:50:63:e0 Learn
T111
00:19:e2:50:7d:e0 Static
T111
00:19:e2:50:ac:00 Learn
T2
*
Flood
T2
00:00:5e:00:01:01 Static
T2
00:19:e2:50:63:e0 Learn
T2
00:19:e2:50:7d:e0 Static
T3
*
Flood
T3
00:00:5e:00:01:02 Static
T3
00:19:e2:50:63:e0 Learn
T3
00:19:e2:50:7d:e0 Static
T4
*
Flood
T4
00:00:5e:00:01:03 Static
T4
00:19:e2:50:63:e0 Learn
[output truncated]
user@switch> show ethernet-switching table brief
VLAN
MAC address
Type
F2
*
Flood
Age
0
0
0
0
0
0
0
0
0
0
Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Age Interfaces
- All-members
1239
F2
F2
Linux
Linux
Linux
T1
T1
T1
T1
T1
T10
T10
T10
T10
T111
T111
T111
T111
T2
T2
T2
T2
T3
T3
T3
T3
T4
T4
T4
[output truncated]
table detail
00:00:05:00:00:03
00:19:e2:50:7d:e0
*
00:19:e2:50:7d:e0
00:30:48:90:54:89
*
00:00:05:00:00:01
00:00:5e:00:01:00
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:09
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
00:19:e2:50:ac:00
*
00:00:5e:00:01:01
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:02
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:03
00:19:e2:50:63:e0
Learn
Static
Flood
Static
Learn
Flood
Learn
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Learn
Static
Learn
Flood
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Static
Learn
user@switch> show ethernet-switching table detail

F2, *
Type: Flood
Nexthop index: 0
F2, 00:00:05:00:00:03
Nexthop index: 0
F2, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, *
Type: Flood
Nexthop index: 0
Linux, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, 00:30:48:90:54:89
1240
0
0
0
0
0
0
0
0
0
0
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Nexthop index: 0
T1, *
Type: Flood
Nexthop index: 0
T1, 00:00:05:00:00:01
Nexthop index: 0
T1, 00:00:5e:00:01:00
Type: Static
Nexthop index: 0
T1, 00:19:e2:50:63:e0
Nexthop index: 0
T1, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T10, *
Type: Flood
Nexthop index: 0
T10, 00:00:5e:00:01:09
Type: Static
Nexthop index: 0
T10, 00:19:e2:50:63:e0
Nexthop index: 0
T10, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T111, *
Type: Flood
Nexthop index: 0
[output truncated]
table extensive
user@switch> show ethernet-switching table extensive

F2, *
Type: Flood
Nexthop index: 0
F2, 00:00:05:00:00:03
1241
Nexthop index: 0
F2, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, *
Type: Flood
Nexthop index: 0
Linux, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
Linux, 00:30:48:90:54:89
Nexthop index: 0
T1, *
Type: Flood
Nexthop index: 0
T1, 00:00:05:00:00:01
Nexthop index: 0
T1, 00:00:5e:00:01:00
Type: Static
Nexthop index: 0
T1, 00:19:e2:50:63:e0
Nexthop index: 0
T1, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T10, *
Type: Flood
Nexthop index: 0
T10, 00:00:5e:00:01:09
Type: Static
Nexthop index: 0
T10, 00:19:e2:50:63:e0
1242

Nexthop index: 0
T10, 00:19:e2:50:7d:e0
Type: Static
Nexthop index: 0
T111, *
Type: Flood
Nexthop index: 0
[output truncated]
table interface ge-0/0/1
user@switch> show ethernet-switching table interface ge-0/0/1

VLAN
MAC address
Type
Age Interfaces
V1
*
Flood
- All-members
V1
00:00:05:00:00:05 Learn
0 ge-0/0/1.0
1243
show ip-source-guard
Syntax
Release Information
Description
Related Topics

Output Fields

Display IP source guard database information.
view


show ip-source-guard on page 1244

Table 49 on page 322 lists the output fields for the show ip-source-guard command.
Table 156: show ip-source-guard Output Fields

Field Name
Field Description
VLAN
VLAN on which IP source guard is enabled.
Interface
Access interface associated with the VLAN in column 1.
Tag
VLAN ID for the VLAN in column 1. Possible values are:
0, indicating the VLAN is not tagged.
1 4093
IP Address
Source IP address for a device connected to the interface in column 2. A value

of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN
but the interface is shared with a VLAN that is enabled for IP source guard.
MAC Address
Source MAC address for a device connected to the interface in column 2. A

value of * (star, or asterisk) indicates that IP source guard is not enabled on
this VLAN but the interface is shared with a VLAN that is enabled for IP source
guard.
1244

Interface
Tag IP Address
MAC Address
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
ge0/0/13.0
100
voice
1245
show system statistics arp

Syntax
Release Information
Description
Related Topics
Sample Output
1246

Display system-wide Address Resolution Protocol (ARP) statistics.
view

1142

arp:
47 ARP replys sent
0 new requests on unnumbered interfaces
0 replies for from unnumbered interfaces
0 requests on unnumbered interface with non-subnetted donor
0 replies from unnumbered interface with non-subnetted donor
Part 13
Routing Policy and Packet Filtering

(Firewall Filters)
Understanding Firewall Filters on page 1249
Examples of Configuring Firewall Filters on page 1275
Configuring Firewall Filters on page 1301
Verifying Firewall Filters on page 1315
Troubleshooting Firewall Filters on page 1319
Configuration Statements for Firewall Filters on page 1323
Operational Mode Commands for Firewall Filters on page 1337
1247
1248
Chapter 62
Understanding Planning of Firewall Filters on page 1252
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX Series Switches on page 1254
Understanding How Firewall Filters Control Packet Flows on page 1255
Firewall Filter Match Conditions and Actions for EX Series Switches on page 1256
Understanding How Firewall Filters Are Evaluated on page 1267
Understanding Firewall Filter Match Conditions on page 1269
Understanding How Firewall Filters Test a Packet's Protocol on page 1273
Understanding Filter-Based Forwarding for EX Series Switches on page 1274
Firewall Filters for EX Series Switches Overview

Firewall filters provide rules that define whether to permit, deny, or forward packets
that are transiting an interface on a Juniper Networks EX Series Ethernet Switch from
a source address to a destination address. You configure firewall filters to determine
whether to permit, deny, or forward traffic before it enters or exits a port, VLAN, or
Layer 3 (routed) interface to which the firewall filter is applied. An ingress firewall
filter is a filter that is applied to packets that are entering a network. An egress firewall
filter is a filter that is applied to packets that are exiting a network. You can configure
firewall filters to subject packets to filtering, class-of-service (CoS) marking (grouping
similar types of traffic together, and treating each type of traffic as a class with its
own level of service priority), and traffic policing (controlling the maximum rate of
traffic sent or received on an interface).
Firewall Filter Types on page 1250
Firewall Filter Components on page 1250
Firewall Filter Processing on page 1251
1249
Firewall Filter Types

The following firewall filter types are supported for EX Series Switches:
Port (Layer 2) firewall filterPort firewall filters apply to Layer 2 switch ports.
You can apply port firewall filters in both ingress and egress directions on a
physical port.
VLAN firewall filterVLAN firewall filters provide access control for packets that
enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN
firewall filters in both ingress and egress directions on a VLAN. VLAN firewall
filters are applied to all packets that are forwarded to or forwarded from the
VLAN.
Router (Layer 3) firewall filterYou can apply a router firewall filter in both
ingress and egress directions on Layer 3 (routed) interfaces and routed VLAN
interfaces (RVI). You can also apply a router firewall filter in ingress direction on
the loopback interface.
NOTE: Firewall filters configured on loopback interfaces are applied to packets

transiting network interfaces only; they are not applied to packets transiting the
management interface (me0).
To apply a firewall filter, you must:

1.
Configure the firewall filter.
2.
Apply the firewall filter to a port, VLAN, or Layer 3 interface.
Firewall Filter Components

In a firewall filter, you first define the family address type, (ethernet-switching or inet),
and then you define one or more terms that specify the filtering criteria and the
action to take if a match occurs.
Each term consists of the following components:
1250
Match conditionsSpecifies the values or fields that the packet must contain.
You can define various match conditions, including the IP source address field,
IP destination address field, Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source port field, IP protocol field, Internet Control
Message Protocol (ICMP) packet type, TCP flags, and interfaces.
ActionSpecifies what to do if a packet matches the match conditions. Possible

actions are to accept or discard the packet or to send the packet to a specific
virtual routing interface. In addition, packets can be counted to collect statistical
information. If no action is specified for a term, the default action is to accept
the packet.
Chapter 62: Understanding Firewall Filters
NOTE: For Juniper Networks EX3200 and EX4200 Ethernet Switches, the maximum
number of terms allowed per firewall filter is 2048. For Juniper Networks EX8200
Ethernet Switches, the maximum number of terms allowed per firewall filter is 32768.
If you attempt to configure a firewall filter that exceeds these limits, the switch returns
an error message when you commit the configuration.
Firewall Filter Processing

The order of the terms within a firewall filter is important. Packets are tested against
each term in the order in which the terms are listed in the firewall filter configuration.
When a firewall filter contains multiple terms, the switch takes a top-down approach
and compares a packet against the first term in the firewall filter. If the packet matches
the first term, the switch executes the action defined by that term to either permit
or deny the packet, and no other terms are evaluated. If the switch does not find a
match between the packet and first term, it then compares the packet to the next
term in the firewall filter by using the same match process. If no match occurs
between the packet and the second term, the switch continues to compare the packet
to each successive term defined in the firewall filter until a match is found. If a packet
does not match any terms in a firewall filter, the default action is to discard the
packet.
Related Topics
Understanding Planning of Firewall Filters on page 1252
Example: Using Filter-Based Forwarding to Route Application Traffic to a Security

Device on EX Series Switches on page 1295
1251
Understanding Planning of Firewall Filters

Before you create a firewall filter and apply it to an interface, determine what you
want the firewall filter to accomplish and how to use its match conditions and actions
to achieve your goals. It is important that you understand how packets are matched
to match conditions, the default and configured actions of the firewall filter, and
proper placement of the firewall filter.
You can configure and apply no more than one firewall filter per port, VLAN, or
router interface, per direction. The number of firewall filter terms allowed per filter
cannot exceed 2048. In addition, you should try to be conservative in the number
of terms (rules) that you include in each firewall filter because a large number of
terms requires longer processing time during a commit and also can make firewall
filter testing and troubleshooting more difficult. Similarly, applying firewall filters
across many switch and router interfaces can make testing and troubleshooting the
rules of those filters difficult.
Before you configure and apply firewall filters, answer the following questions for
each of those firewall filters:
1.
What is the purpose of the firewall filter?

For example, you can use a firewall filter to limit traffic to source and destination
MAC addresses, specific protocols, or certain data rates or to prevent denial of
service (DoS) attacks.
2.
What are the appropriate match conditions?

a.
b.
3.
Determine the packet header fields that the packet must contain for a match.
Possible fields include:
Layer 2 header fieldsSource and destination MAC addresses, dot1q

tag, Ethernet type, VLAN
Layer 3 header fieldsSource and destination IP addresses, protocols,

and IP options (IP precedence, IP fragmentation flags, TTL type)
TCP header fieldsSource and destination ports and flags
ICMP header fieldsPacket type and code
Determine the port, VLAN, or router interface on which the packet was
received.
What are the appropriate actions to take if a match occurs?

Possible actions to take if a match occurs are accept, discard, and forward to a
routing instance.
4.
What additional action modifiers might be required?

Determine if additional actions are required if a packet matches a match
condition; for example, you can specify an action modifier to count, analyze, or
police packets.
5.
1252
On what interface should the firewall filter be applied?
Start with the following basic guidelines:
If all the packets entering a port need to be exposed to filtering, then use
port firewall filters.
If all the packets that are bridged need filtering, then use VLAN firewall filters.
If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface at which to apply a firewall filter, understand
how that placement can impact traffic flow to other interfaces. In general, apply
a firewall filter that filters on source and destination IP addresses, IP protocols,
or protocol informationsuch as ICMP message types, and TCP and UDP port
numbersnearest to the source devices. However, typically apply a firewall filter
that filters only on a source IP address nearest to the destination devices. When
applied too close to the source device, a firewall filter that filters only on a source
IP address could potentially prevent that source device from accessing other
services that are available on the network.
NOTE: Egress firewall filters do not affect the flow of locally generated control packets
from the Routing Engine.
6.
In which direction should the firewall filter be applied?

You can apply firewall filters to ports on the switch to filter packets that are
entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed)
interfaces to filter packets that are entering or exiting a VLAN or routed interface.
Typically, you configure different sets of actions for traffic entering an interface
than you configure for traffic exiting an interface.
Related Topics

1253
on EX Series Switches
Juniper Networks EX Series Ethernet Switches are multilayered switches that provide
Layer 2 switching and Layer 3 routing. You apply firewall filters at multiple processing
points in the packet forwarding path on EX Series switches. At each processing point,
the action to be taken on a packet is determined based on the results of the lookup
in the switch's forwarding table. A table lookup determines which exit port on the
switch to use to forward the packet.
For both bridged unicast packets and routed unicast packets, firewall filters are
evaluated and applied hierarchically. First, a packet is checked against the port firewall
filter, if present. If the packet is permitted, it is then checked against the VLAN firewall
filter, if present. If the packet is permitted, it is then checked against the router
firewall filter, if present. The packet must be permitted by the router firewall filter
before it is processed.
Figure 72 on page 1254 shows the various firewall filter processing points in the packet
forwarding path in a multilayered switching platform.
Figure 72: Firewall Filter Processing Points in the Packet Forwarding Path
For a multicast packet that results in replications, an egress firewall filter is applied
to each copy of the packet based on its corresponding egress VLAN.
1254
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
For Layer 2 (bridged) unicast packets, the following firewall filter processing points
apply:
Ingress port firewall filter
Ingress VLAN firewall filter
Egress port firewall filter
Egress VLAN firewall filter
For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall
filter processing points apply:
Related Topics
Ingress port firewall filter
Ingress VLAN firewall filter (Layer 2 CoS)
Ingress router firewall filter (Layer 3 CoS)
Egress router firewall filter
Egress VLAN firewall filter
Understanding How Firewall Filters Control Packet Flows on page 1255
Understanding How Firewall Filters Control Packet Flows

Juniper Networks EX Series Ethernet Switches support firewall filters that allow you
to control flows of data packets and local packets. Data packets are chunks of data
that transit the switch as they are forwarded from a source to a destination. Local
packets are chunks of data that are destined for or sent by the switch. Local packets
usually contain routing protocol data, data for IP services such as Telnet or SSH, and
data for administrative protocols such as the Internet Control Message Protocol
(ICMP).
You create firewall filters to protect your switch from excessive traffic transiting the
switch to a network destination or destined for the Routing Engine on the switch.
Firewall filters that control local packets can also protect your switch from external
incidents such as denial-of-service (DoS) attacks.
Firewall filters affect packet flows entering in to or exiting from the switch's interfaces:
Ingress firewall filters affect the flow of data packets that are received by the
switch's interfaces. The Packet Forwarding Engine (PFE) handles this flow. When
a switch receives a data packet on an interface, the switch determines where to
forward the packet by looking in the forwarding table for the best route (Layer 2
switching, Layer 3 routing) to a destination. Data packets are forwarded to their
destination through an outgoing interface. Locally destined packets are forwarded
to the Routing Engine.
Understanding How Firewall Filters Control Packet Flows
1255
Egress firewall filters affect the flow of data packets that are transmitted from
the switch's interfaces but do not affect the flow of locally generated control
packets from the Routing Engine. The Packet Forwarding Engine handles the
flow of data packets that are transmitted from the switch, and egress firewall
filters are applied here. The Packet Forwarding Engine also handles the flow of
control packets from the Routing Engine.
Figure 73 on page 1256 illustrates the application of ingress and egress firewall filters
to control the flow of packets through the switch.
Figure 73: Application of Firewall Filters to Control Packet Flow
Related Topics
1.
Ingress firewall filter applied to control locally destined packets that are received
on the switch's interfaces and are destined for the Routing Engine.
2.
Ingress firewall filter applied to control incoming packets on the switch's

interfaces.
3.
Egress firewall filter applied to control packets that are transiting the switch's
interfaces.
Firewall Filter Match Conditions and Actions for EX Series Switches

Each term in a firewall filter consists of match conditions and an action. Match
conditions are the values or fields that a packet must contain. You can define multiple,
single, or no match conditions. If no match conditions are specified for the term, all
packets are matched by default. The action is the action that the switch takes if a
packet matches the match conditions for the specific term. Allowed actions are accept
1256
a packet or discard a packet. In addition, you can specify action modifiers to count,
mirror, rate limit, and classify packets.
For each firewall filter, you define the terms that specify the filtering criteria (match
conditions) to apply to packets and the action for the switch to take if a match occurs.
Table 157 on page 1257 describes the match conditions you can specify when
configuring a firewall filter. The string that defines a match condition is called a match
statement. All match conditions are applicable to IPv4 traffic. The match conditions
are not applicable to IPv6 traffic.
Table 157: Supported Match Conditions for Firewall Filters on EX Series Switches
Match Condition
Description
Supported Platforms and Bind Points

Ingress
destination-address
ip-address
destination-mac-address
mac-address
IP destination address field, which is the

address of the final destination node.
Destination media access control (MAC)

address of the packet.
Egress
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200ports and
VLANs
1257
Table 157: Supported Match Conditions for Firewall Filters on EX Series Switches (continued)
Match Condition
Description

Ingress
destination-port number
TCP or User Datagram Protocol (UDP)

destination port field. Typically, you specify
this match in conjunction with the protocol
match statement to determine which
protocol is used on the port. In place of the
numeric value, you can specify one of the
following text synonyms (the port numbers
are also listed):
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
afs (1483), bgp (179), biff (512), bootpc (68),

bootps (67),
cmd (514), cvspserver (2401),
dhcp (67), domain (53),
eklogin (2105), ekshell (2106), exec (512),
finger (79), ftp (21), ftp-data (20),
http (80), https (443),
ident (113), imap (143),
kerberos-sec (88), klogin (543), kpasswd
(761), krb-prop (754), krbupdate (760), kshell
(544),
ldap (389), login (513),
mobileip-agent (434), mobilip-mn (435), msdp
(639),
netbios-dgm (138), netbios-ns (137),
netbios-ssn (139), nfsd (2049), nntp (119),
ntalk (518), ntp (123),
pop3 (110), pptp (1723), printer (515),
radacct (1813),radius (1812), rip (520), rkinit
(2108),
smtp (25), snmp (161), snmptrap (162), snpp
(444), socks (1080), ssh (22), sunrpc (111),
syslog (514),
1258
Egress
Match Condition
Description

Ingress
Egress
tacacs-ds (65), talk (517), telnet (23), tftp

(69), timed (525),
who (513),
xdmcp (177),
zephyr-clt (2103), zephyr-hm (2104)
destination-prefix-list
prefix-list
IP destination prefix list field.

You can define a list of IP address prefixes
under a prefix-list alias for frequent use. You
make this definition at the [edit
policy-options] hierarchy level.
dot1q-tag number
dot1q-user-priority
number
The tag field in the Ethernet header. The

tag values can be 14095.
User-priority field of the tagged Ethernet

packet. User-priority values can be 07.
In place of the numeric value, you can
specify one of the following text synonyms
(the field values are also listed):
background (1)Background
best-effort (0)Best effort
controlled-load (4)Controlled load
excellent-load (3)Excellent load
network-control (7)Network control
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200not
supported
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200ports and
VLANs
reserved traffic
standard (2)Standard or Spare
video (5)Video
voice (6)Voice
1259
Match Condition
Description

Ingress
Differentiated Services code point (DSCP).

The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header.
The most significant six bits of this byte
form the DSCP.
dscp number
Egress
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200not
supported.
You can specify DSCP in hexadecimal,

binary, or decimal form.
ef (46)as defined in RFC 2598, An
Expedited Forwarding PHB.
af11 (10), af12 (12), af13 (14);

af21 (18), af22 (20), af23 (22);
af31 (26), af32 (28), af33 (30);
af41 (34), af42 (36), af43 (38)
These four classes, with three drop

precedences in each class, for a total
of 12 code points, are defined in RFC
2597, Assured Forwarding PHB.
ether-type [ipv4 | arp |
mpls | dot1q | value]
Ethernet type field of a packet. The

EtherType value specifies what protocol is
being transported in the Ethernet frame. In
place of the numeric value, you can specify
one of the following text synonyms:
aarpEtherType value AARP (0x80F3)
appletalkEtherType value AppleTalk
(0x809B)
arpEtherType value ARP (0x0806)
ipv4EtherType value IPv4 (0x0800)
mpls multicastEtherType value MPLS
multicast (0x8848)
mpls unicastEtherType value MPLS
unicast (0x8847)
oamEtherType value OAM (0x88A8)
pppEtherType value PPP (0x880B)
pppoe-discoveryEtherType value
PPPoE Discovery Stage (0x8863)
pppoe-sessionEtherType value PPPoE
Session Stage (0x8864)
1260
snaEtherType value SNA (0x80D5)
Match Condition
Description

Ingress
fragment-flags
fragment-flags
IP fragmentation flags, specified in symbolic

or hexadecimal formats. You can specify
one of the following options:
dont-fragment (0x4000), more-fragments
(0x2000), or reserved (0x8000)
icmp-code number
ICMP code field. This value or option

provides more specific information than
icmp-type. Because the values meaning
depends upon the associated icmp-type, you
must specify icmp-type along with icmp-code.
(the field values are also listed). The options
are grouped by the ICMP type with which
they are associated:
parameter-problemip-header-bad (0),
required-option-missing (1)
redirectredirect-for-host (1),
redirect-for-network (0),
redirect-for-tos-and-host (3),
redirect-for-tos-and-net (2)
time-exceededttl-eq-zeroduring-reassembly (1),
ttl-eq-zero-during-transit (0)
unreachablecommunicationprohibited-by-filtering (13),
destination-host-prohibited (10),
destination-host-unknown (7),
destination-network-prohibited (9),
destination-network-unknown (6),
fragmentation-needed (4),
host-precedence-violation (14),
host-unreachable (1),
host-unreachable-for-TOS (12),
network-unreachable (0),
network-unreachable-for-TOS (11),
port-unreachable (3),
precedence-cutoff-in-effect (15),
protocol-unreachable (2),
source-host-isolated (8),
source-route-failed (5)
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
Egress
EX3200 and
EX4200not
supported
EX8200not
supported
EX3200 and
EX4200VLANs and
Layer 3 interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
1261
Match Condition
Description

Ingress
icmp-type number
ICMP packet type field. Typically, you

specify this match in conjunction with the
protocol match statement to determine
which protocol is being used on the port.
Egress
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200Layer 3
interfaces
EX3200 and
EX4200not
supported
EX8200Layer 3
interfaces
EX8200not
supported
If the packet is a trailing fragment. This

match condition does not match the first
fragment of a fragmented packet. Use two
terms to match both first and trailing
fragments.
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200not
supported
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200not
supported
Length of the received packet, in bytes.
EX3200 and
EX4200not
supported
EX3200 and
EX4200not
supported
EX8200Layer 3
interfaces
EX8200not
supported
echo-reply (0), echo-request (8), info-reply (16),

info-request (15),
mask-request (17), mask-reply (18),
parameter-problem (12),
redirect (5), router-advertisement (9),
router-solicit (10), source-quench (4),
time-exceeded (11), timestamp (13),
timestamp-reply (14), unreachable (3)
Interface on which the packet is received.

You can specify the wildcard character (*)
as part of an interface name.
NOTE: An interface from which a packet is
sent cannot be used as a match condition.
Presence of the options field in the IP

header.
ip-options
is-fragment
packet-length bytes
NOTE: packet-length is not supported on

EX3200 and EX4200 switches.
1262
Match Condition
Description

Ingress
precedence precedence
protocol list of protocols
IP precedence. In place of the numeric

value, you can specify one of the following
text synonyms (the field values are also
listed):
Egress
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
IPv4 protocol value. In place of the numeric

value, you can specify one of the following
text synonyms:
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
egp (8), esp (50), gre (47), icmp (1), igmp (2),
ipip (4),
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200ports and
VLANs
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
critical-ecp (5)
flash (3)
flash-override (4)
immediate (2)
internet-control (6)
net-control (7)
priority (1)
routine (0)
ospf (89), pim (103), rsvp (46), tcp (6), udp

(17)
source-address
ip-address
source-mac-address
mac-address
source-port number
IP source address field, which is the address

of the source node sending the packet.
Source MAC address.
TCP or UDP source-port field. Typically, you

specify this match in conjunction with the
protocol match statement to determine
In place of the numeric field, you can
specify one of the text synonyms listed
under destination-port.
1263
Match Condition
Description

Ingress
source-prefix-list
prefix-list
IP source prefix list field.
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200not
supported
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200not
supported
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200not
supported
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200not
supported
Match the first TCP packet of a connection.

tcp-initial is a synonym for the bit names
"(syn & !ack)".
EX3200 and
EX4200ports,
VLANs, and Layer 3
interfaces
EX3200 and
EX4200not
supported
tcp-initial does not implicitly check whether
EX8200ports,
VLANs, and Layer 3
interfaces
EX8200not
supported
EX3200 and
EX4200Layer 3
interfaces
EX3200 and
EX4200not
supported
EX8200Layer 3
interfaces
EX8200not
supported
EX3200 and
EX4200ports and
VLANs
EX3200 and
EX4200ports and
VLANs
EX8200ports and
VLANs
EX8200ports and
VLANs
You can define a list of IP address prefixes

under a prefix-list alias for frequent use. You
make this definition at the [edit
policy-options] hierarchy level.
tcp-established
Egress
TCP packets of an established TCP

connection. This condition matches packets
other than the first packet of a connection.
tcp-established is a synonym for the bit
names "(ack | rst)".
tcp-established does not implicitly check
whether the protocol is TCP. To do so,

specify the protocol tcp match condition.
tcp-flags [flags
tcp-initial]
One or more TCP flags:
bit-namefin, syn, rst, push, ack,

urgent
logical operators& (logical AND), !

(negation)
numerical value0x01 through 0x20
text synonymtcp-initial
To specify multiple flags, use logical

operators.
tcp-initial
the protocol is TCP. To do so, specify the

protocol tcp match condition.
TTL type to match. The value can be 1255.
ttl value
vlan [vlan-name |
vlan-id]
1264
The VLAN that is associated with the packet.
Some of the numeric range and bit-field match conditions allow you to specify a text
synonym. For a list of all the synonyms for a match condition, do any of the following:
If you are using the J-Web Filters Configuration page, select the synonym from
the appropriate list.
If you are using the CLI, type a question mark (?) after the from statement.
To specify the bit-field value to match, you must enclose the values in quotation
marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
tcp-flags "rst";
For information about logical operators and how to use bit-field logical operations
to create expressions that are evaluated for matches, see Understanding Firewall
Filter Match Conditions on page 1269.
When you define one or more terms that specify the filtering criteria, you also define
the action to take if the packet matches all criteria. Table 158 on page 1265 shows the
actions that you can specify in a term.
Table 158: Actions for Firewall Filters
Action
Description
Supported Platforms and Direction
accept
Accept a packet.
EX3200 and EX4200ingress and

egress
EX8200ingress and egress

egress
EX3200 and EX4200ingress only
EX8200not supported

egress
EX8200not supported
discard
reject message-type
Discard a packet silently without sending an Internet

Control Message Protocol (ICMP) message.
Discard a packet, and send an ICMPv4 message (type

3) destination unreachable. You can log the rejected
packets if you configure the syslog action modifier.
You can specify one of the following message codes:
administratively-prohibited (default), bad-host-tos,
bad-network-tos, host-prohibited, host-unknown,
host-unreachable, network-prohibited, network-unknown,
network-unreachable, port-unreachable, precedence-cutoff,
precedence-violation, protocol-unreachable,
source-host-isolated, source-route-failed, or tcp-reset.
If you specify tcp-reset, a TCP reset is returned if the

packet is a TCP packet. Otherwise nothing is returned.
If you do not specify a message type, the ICMP
notification destination unreachable is sent with the
default message communication administratively
filtered.
routing-instance
Forward matched packets to a virtual routing instance.
1265
Table 158: Actions for Firewall Filters (continued)

Action
Description
vlan
Forward matched packets to a specific VLAN.
EX8200not supported
In addition to the actions, you can specify action modifiers. Table 159 on page 1266
shows the action modifers that you can specify in a term.
Table 159: Action Modifiers for Firewall Filters
Action Modifier
Description
analyzer analyzer-name
Mirror port traffic to a specified destination port or

VLAN that is connected to a protocol analyzer
application. Mirroring copies all packets seen on one
switch port to a network monitoring connection on
another switch port. The analyzer name must be
configured under [edit ethernet-switching-options
analyzer].
EX8200ingress only
Count the number of packets that pass this filter, term,

or policer.

egress
EX8200not supported

egress
Forward the traffic to the specified interface bypassing

the switching lookup.
EX8200ingress only
Log the packet's header information in the Routing

Engine. To view this information, issue the show firewall
log command in the CLI.
EX8200not supported
Set the Packet Loss Priority (PLP).
EX8200not supported
EX8200ingress only
EX8200not supported
count counter-name
forwarding-class class
log
loss-priority [low | high]
policer policer-name
Classify the packet in one of the following forwarding

classes:
assured-forwarding
best-effort
network-control
Apply rate limits to the traffic.

You can specify a policer for ingress port, VLAN, and
router firewall filters only.
Log an alert for this packet. You can specify that the
log be sent to a server for storage and analysis.
syslog
1266
NOTE: On EX Series switches, accept and discard are the only actions supported for
firewall filters applied on loopback interfaces.
Related Topics


Understanding How Firewall Filters Are Evaluated

A firewall filter consists of one or more terms, and the order of the terms within a
firewall filter is important. Before you configure firewall filters, you should understand
how Juniper Networks EX Series Ethernet Switches evaluate the terms within a firewall
filter and how packets are evaluated against the terms.
When a firewall filter consists of a single term, the filter is evaluated as follows:
If the packet matches all the conditions, the action in the then statement is taken.
If the packet matches all the conditions, and no action is specified in the then
statement, the default action accept is taken.
When a firewall filter consists of more than one term, the firewall filter is evaluated
sequentially:
1.
The packet is evaluated against the conditions in the from statement in the first
term.
2.
If the packet matches all the conditions in the term, the action in the then
statement is taken and the evaluation ends. Subsequent terms in the filter are
not evaluated.
3.
If the packet does not match all the conditions in the term, the packet is evaluated
against the conditions in the from statement in the second term.
This process continues until either the packet matches the conditions in the from
statement in one of the subsequent terms or there are no more terms in the
filter.
4.
If a packet passes through all the terms in the filter without a match, the packet
is discarded.
1267
Figure 74 on page 1268 shows how an EX Series switch evaluates the terms within a
firewall filter.
Figure 74: Evaluation of Terms Within a Firewall Filter
If a term does not contain a from statement, the packet is considered to match and
the action in the then statement of the term is taken.
If a term does not contain a then statement, or if an action has not been configured
in the then statement, and the packet matches the conditions in the from statement
of the term, the packet is accepted.
Every firewall filter contains an implicit deny statement at the end of the filter, which
is equivalent to the following explicit filter term:
term implicit-rule {
then discard;
}
Consequently, if a packet passes through all the terms in a filter without matching
any conditions, the packet is discarded. If you configure a firewall filter that has no
terms, all packets that pass through the filter are discarded.
NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.
Related Topics
1268
Understanding Firewall Filter Match Conditions

Before you define terms for firewall filters, you must understand how the conditions
that you specify in a term are handled and how to specify interface filter, numeric
filter, address filter, and bit-field filter match conditions to achieve the desired filtering
results.
Filter Match Conditions on page 1269
Numeric Filter Match Conditions on page 1269
Interface Filter Match Conditions on page 1270
IP Address Filter Match Conditions on page 1270
MAC Address Filter Match Conditions on page 1271
Bit-Field Filter Match Conditions on page 1272
Filter Match Conditions

In the from statement of a firewall filter term, you specify the conditions that the
packet must match for the action in the then statement to be taken. All conditions
in the from statement must match for the action to be taken. The order in which you
specify match conditions is not important, because a packet must match all the
conditions in a term for a match to occur.
If you specify no match conditions in a term, that term matches all packets.
An individual condition in a from statement cannot contain a list of values. For
example, you cannot specify numeric ranges or multiple source or destination
addresses.
Individual conditions in a from statement cannot be negated. A negated condition is
an explicit mismatch.
Numeric Filter Match Conditions

Numeric filter conditions match packet fields that are identified by a numeric value,
such as port and protocol numbers. For numeric filter match conditions, you specify
a keyword that identifies the condition and a single value that a field in a packet
must match.
You can specify the numeric value in one of the following ways:
Single numberA match occurs if the value of the field matches the number.
For example:
source-port 25;
1269
Text synonym for a single number A match occurs if the value of the field
matches the number that corresponds to the synonym. For example:
source-port http;
To specify more than one value in a filter term, you enter each value in its own match
statement. For example, a match occurs in the following term if the value of vlan
field is 10 or 30.
[edit firewall family family-name filter filter-name term term-name from]
vlan 10;
vlan 30;
The following restrictions apply to numeric filter match conditions:
You cannot specify a range of values.
You cannot specify a list of comma-separated values.
You cannot exclude a specific value in a numeric filter match condition. For
example, you cannot specify a condition that would match only if the match
condition was not equal to a given value.
Interface Filter Match Conditions

Interface filter match conditions can match interface name values in a packet. For
interface filter match conditions, you specify the name of the interface, for example:
user@host# set interface ge-0/0/1
Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter
that is applied to a router interface can specify the logical unit number in the interface
filter match condition, for example:
user@host# set interface ge-0/1/0.0
You can include the * wildcard as part of the interface name, for example:
[edit firewall
user@host# set
user@host# set
user@host# set
family family-name filter filter-name term term-name from]

interface ge-0/*/1
interface ge-0/1/*
interface ge-*
IP Address Filter Match Conditions

Address filter match conditions can match prefix values in a packet, such as IP source
and destination prefixes. For address filter match conditions, you specify a keyword
that identifies the field and one prefix of that type that a packet must match.
1270
You specify the address as a single prefix. A match occurs if the value of the field
matches the prefix. For example:
user@host# set destination-address 10.2.1.0/28;
Each prefix contains an implicit 0/0 except statement, which means that any prefix
that does not match the prefix that is specified is explicitly considered not to match.
To specify the address prefix, use the notation prefix/prefix-length. If you omit
prefix-length, it defaults to /32. For example:
user@host# set destination-address 10
user@host# show
10.0.0.0/32;
}
To specify more than one IP address in a filter term, you enter each address in its
own match statement. For example, a match occurs in the following term if the value
of the source-address field matches either of the following source-address prefixes:
user@host# set source-address 10.0.0.0/8
user@host# set source-address 10.1.0.0/16
MAC Address Filter Match Conditions

MAC address filter match conditions can match source and destination MAC address
values in a packet. For MAC address filter match conditions, you specify a keyword
that identifies the field and one value of that type that a packet must match.
You can specify the MAC address as six hexadecimal bytes in the following formats:
user@host# set destination-mac-address 0011.2233.4455
user@host# set destination-mac-address 00:11:22:33:44:55
user@host# set destination-mac-address 001122334455
To specify more than one MAC address in a filter term, you enter each MAC address
in its own match statement. For example, a match occurs in the following term if
the value of the source-mac-address field matches either of the following addresses.
user@host# set source-mac-address 00:11:22:33:44:55
user@host# set source-mac-address 00:11:22:33:20:15
1271
Bit-Field Filter Match Conditions

Bit-field filter conditions match packet fields if particular bits in those fields are or
are not set. You can match the IP options, TCP flags, and IP fragmentation fields.
For bit-field filter match conditions, you specify a keyword that identifies the field
and tests to determine that the option is present in the field.
To specify the bit-field value to match, enclose the value in double quotation marks.
For example, a match occurs if the RST bit in the TCP flags field is set:
user@host# set tcp-flags "rst"
Typically, you specify the bits to be tested by using keywords. Bit-field match
keywords always map to a single bit value. You also can specify bit fields as
hexadecimal or decimal numbers.
To match multiple bit-field values, use the logical operators, which are described in
Table 160 on page 1272. The operators are listed in order from highest precedence to
lowest precedence. Operations are left-associative.
Table 160: Actions for Firewall Filters
Logical Operators
Description
Negation.
& or +
Logical AND.
To negate a match, precede the value with an exclamation point. For example, a
match occurs only if the RST bit in the TCP flags field is not set:
user@host# set tcp-flags "!rst"
In the following example of a logical AND operation, a match occurs if the packet is
the initial packet on a TCP session:
user@host# set tcp-flags "syn" & "!ack"
You can use text synonyms to specify some common bit-field matches. You specify
these matches as a single keyword. In the following example of a text synonym, a
match occurs if the packet is the initial packet on a TCP session:
user@host# set tcp-flags tcp-initial
Logical OR operations are not supported; however you can specify the equivalent
OR functionality by specifying two of the same match conditions in a single term or
1272
in two consecutive terms. For example, in the following term, a match occurs if the
packet in a TCP session is urgent or has priority :
user@host# set tcp-flags "urgent"
user@host# set tcp-flags "push"
Related Topics

Understanding How Firewall Filters Test a Packet's Protocol

When examining match conditions, Juniper Networks JUNOS Software for Juniper
Networks EX Series Ethernet Switches tests only the field that is specified. The
software does not implicitly test the IP header to determine whether a packet is an
IP packet. Therefore, in some cases, you must specify protocol field match conditions
in conjunction with other match conditions to ensure that the filters are performing
the expected matches.
If you specify a protocol match condition or a match of the ICMP type or TCP flags
field, there is no implied protocol match. For the following match conditions, you
must explicitly specify the protocol match condition in the same term:
destination-portSpecify the match protocol tcp or protocol udp.
source-portSpecify the match protocol tcp or protocol udp.
If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you
specify a match of destination-port ssh, the switch deterministically matches any
packets that have a value of 22 in the two-byte field that is two bytes beyond the
end of the IP header without ever checking the IP protocol field.
Related Topics
Understanding How Firewall Filters Test a Packet's Protocol
1273
Understanding the Use of Policers in Firewall Filters

Policing, or rate limiting, is an important component of firewall filters that lets you
control the amount of traffic that enters an interface. A firewall filter configured with
a policer permits only traffic at specified data rates to provide protection from
denial-of-service (DOS) attacks. Traffic that exceeds the rate limits specified by the
policer can be discarded. Discard is the only supported policer action.
A policer applies two types of rate limits on traffic:
BandwidthThe number of bits per second permitted, on average.
Maximum burst sizeThe maximum size permitted for bursts of data that exceed
the given bandwidth limit.
Policing uses an algorithm to enforce a limit on average bandwidth while allowing

bursts up to a specified maximum value.
After you name and configure a policer, it is stored as a template. You can then use
a policer in a firewall filter configuration.
Each policer that you configure includes an implicit counter that counts the number
of packets that exceed the rate limits that are specified for the policer. To get filter
or term-specific packets counts, you must configure a new policer for each filter or
term that requires policing.
Related Topics
Understanding Filter-Based Forwarding for EX Series Switches

Administrators of Juniper Networks EX Series Ethernet Switches can use firewall
filters in conjunction with virtual routing instances to specify different routes for
packets to travel in their networks. To set up this feature, which is called filter-based
forwarding, you specify a filter and match criteria and then specify the virtual routing
instance to send packets to.
You might want to use filter-based forwarding to route specific types of traffic through
a firewall or security device before the traffic continues on its path. You can also use
filter-based forwarding to give certain types of traffic preferential treatment or to
improve load balancing of switch traffic.
Related Topics
1274

Understanding the Use of Policers in Firewall Filters
Chapter 63

Series Switches
This example shows how to configure and apply firewall filters to control traffic that
is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3
interface on the switch. Firewall filters define the rules that determine whether to
forward or deny packets at specific processing points in the packet flow.
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit
TCP and ICMP Traffic on page 1279
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from

Disrupting VoIP Traffic on page 1285
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic
on the Employee VLAN on page 1287
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and

Peer-to-Peer Applications on the Guest VLAN on page 1289
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined

for the Corporate Subnet on page 1291
Requirements
Two Juniper Networks EX3200-48T switches: one to be used as an access switch,

the other to be used as a distribution switch
One Juniper Networks EX-UM-4SFP uplink module
One Juniper Networks J-series router
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
1275
Before you configure and apply the firewall filters in this example, be sure you have:
An understanding of firewall filter concepts, policers, and CoS
Installed the uplink module in the distribution switch. See Installing an Uplink
Module in an EX3200 or EX4200 Switch.
Overview
This configuration example show how to configure and apply firewall filters to provide
rules to evaluate the contents of packets and determine when to discard, forward,
classify, count, and analyze packets that are destined for or originating from the EX
Series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic. Table
161 on page 1276 shows the firewall filters that are configured for the EX Series switches
in this example.
Table 161: Configuration Components: Firewall Filters
Component
Purpose/Description
Port firewall filter,
This firewall filter performs two functions:
ingress-port-voip-class-limit-tcp-icmp
Assigns priority queueing to packets with a source MAC address that matches the
phone MAC addresses. The forwarding class expedited-forwarding provides low loss,
low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan
traffic.
Performs rate limiting on packets that enter the ports for employee-vlan. The traffic
rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000
bytes.
This firewall filter is applied to port interfaces on the access switch.

VLAN firewall filter,
ingress-vlan-rogue-block
Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that
manages call registration, admission, and call status for VoIP calls. Only TCP or UDP
ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on
TCP ports should be destined for the gatekeeper device. This firewall filter applies to all
phones on voice-vlan, including communication between any two phones on the VLAN
and all communication between the gatekeeper device and VLAN phones.
This firewall filter is applied to VLAN interfaces on the access switch.

egress-vlan-watch-employee
Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this
traffic. Employee traffic destined for the Web is counted and analyzed.
This firewall filter is applied to vlan interfaces on the access switch.

ingress-vlan-limit-guest
Prevents guests (non-employees) from talking with employees or employee hosts on

employee-vlan. Also prevents guests from using peer-to-peer applications on guest-vlan,
but allows guests to access the Web.
This firewall filter is applied to VLAN interfaces on the access switch.
Router firewall filter,

egress-router-corp-class
Prioritizes employee-vlan traffic, giving highest forwarding-class priority to employee traffic

destined for the corporate subnet.
This firewall filter is applied to a routed port (Layer 3 uplink module) on the distribution
switch.
1276
Overview
Chapter 63: Examples of Configuring Firewall Filters
Figure 75 on page 1277 shows the application of port, VLAN, and Layer 3 routed firewall
filters on the switch.
Figure 75: Application of Port, VLAN, and Layer 3 Routed Firewall Filters
Network Topology
The topology for this configuration example consists of one EX-3200-48T switch at
the access layer, and one EX-3200-48T switch at the distribution layer. The distribution
switch's uplink module is configured to support a Layer 3 connection to a J-series
router.
The EX Series switches are configured to support VLAN membership. Table 162 on
page 1277 shows the VLAN configuration components for the VLANs.
Table 162: Configuration Components: VLANs
VLAN Name
VLAN ID
VLAN Subnet and Available

IP Addresses
VLAN Description
voice-vlan
10
192.0.2.0/28 192.0.2.1
through 192.0.2.14
Voice VLAN used for

employee VoIP traffic
192.0.2.15 is subnets
broadcast address
Network Topology
1277
Table 162: Configuration Components: VLANs (continued)

VLAN Name
VLAN ID

IP Addresses
VLAN Description
employee-vlan
20
192.0.2.16/28 192.0.2.17
through 192.0.2.30
VLAN standalone PCs, PCs

connected to the network
through the hub in VoIP
telephones, wireless access
points, and printers. This
VLAN completely includes the
voice VLAN. Two VLANs
(voice-vlan and employee-vlan)
must be configured on the
ports that connect to the
telephones.
broadcast address
guest-vlan
30
192.0.2.32/28 192.0.2.33
through 192.0.2.46
broadcast address
camera-vlan
40
192.0.2.48/28 192.0.2.49
through 192.0.2.62
VLAN for guests data devices

(PCs). The scenario assumes
that the corporation has an
area open to visitors, either
in the lobby or in a
conference room, that has a
hub to which visitors can plug
in their PCs to connect to the
Web and to their companys
VPN.
VLAN for the corporate
security cameras.
broadcast address
Ports on the EX Series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports. Table
163 on page 1278 shows the switch ports that are assigned to the VLANs and the IP
and MAC addresses for devices connected to the switch ports:
Table 163: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Switch and Port Number
VLAN Membership
IP and MAC Addresses
Port Devices
ge-0/0/0, ge-0/0/1
voice-vlan, employee-vlan
IP addresses: 192.0.2.1
through 192.0.2.2
Two VoIP telephones, each

connected to one PC.
MAC addresses:
00.05.85.00.00.01,
00.05.85.0000.02
ge-0/0/2, ge-0/0/3
1278
Network Topology
employee-vlan
192.0.2.17 through
192.0.2.18
Printer, wireless access points
Table 163: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued)
Switch and Port Number
VLAN Membership
IP and MAC Addresses
Port Devices
ge-0/0/4, ge-0/0/5
guest-vlan
192.0.2.34 through
192.0.2.35
Two hubs into which visitors

can plug in their PCs. Hubs
are located in an area open
to visitors, such as a lobby or
conference room
ge-0/0/6, ge-0/0/7
camera-vlan
192.0.2.49 through
192.0.2.50
Two security cameras
ge-0/0/9
voice-vlan
IP address: 192.0.2.14
Gatekeeper device. The

gatekeeper manages call
registration, admission, and
call status for VoIP phones.
MAC
address:00.05.85.00.00.0E
ge-0/1/0
IP address: 192.0.2.65
Layer 3 connection to a
router; note that this is a port
on the switchs uplink module
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP
and ICMP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
To quickly configure and apply a port firewall filter to prioritize voice traffic and
rate-limit packets that are destined for the employee-vlan subnet, copy the following
[edit]
set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer tcp-connection-policer then discard
set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer icmp-connection-policer then discard
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.01
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.02
ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp
ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class
ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low
ingress-port-voip-class-limit-tcp-icmp term network-control from precedence
net-control
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
1279

ingress-port-voip-class-limit-tcp-icmp term network-control then forwarding-class
network-control
ingress-port-voip-class-limit-tcp-icmp term network-control then loss-priority
low
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from destination-address
192.0.2.16/28
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from protocol tcp
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then policer
tcp-connection-policer
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then count tcp-counter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then forwarding-class
best-effort
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then loss-priority
high
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from
destination-address 192.0.2.16/28
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from protocol icmp
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then policer
icmp-connection-policer
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then count icmp-counter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then forwarding-class
best-effort
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then loss-priority
high
ingress-port-voip-class-limit-tcp-icmp term best-effort then forwarding-class
best-effort
ingress-port-voip-class-limit-tcp-icmp term best-effort then loss-priority high
set interfaces ge-0/0/0 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input
set interfaces ge-0/0/1 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set class-of-service schedulers voice-high buffer-size percent 15
set class-of-service schedulers voice-high priority high
set class-of-service schedulers net-control buffer-size percent 10
set class-of-service schedulers net-control priority high
set class-of-service schedulers best-effort buffer-size percent 75
set class-of-service schedulers best-effort priority low
set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
network-control scheduler net-control
1280

best-effort scheduler best-effort
To configure and apply a port firewall filter to prioritize voice traffic and rate-limit
packets that are destined for the employee-vlan subnet:
1.
Define the policers tcp-connection-policer and icmp-connection-policer:

[edit]
user@switch# set
burst-size-limit
user@switch# set
user@switch# set
burst-size-limit
user@switch# set
2.
firewall policer tcp-connection-policer if-exceeding

30k bandwidth-limit 1m
firewall policer tcp-connection-policer then discard
firewall policer icmp-connection-policer if-exceeding
30k bandwidth-limit 1m
firewall policer icmp-connection-policer then discard
Define the firewall filter ingress-port-voip-class-limit-tcp-icmp:

[edit firewall]
user@switch# set family ethernet-switching filter
3.
Define the term voip-high:

[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.01
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.02
user@switch# set term voip-high from protocol udp
user@switch# set term voip-high then forwarding-class expedited-forwarding
user@switch# set term voip-high then loss-priority low
4.
Define the term network-control:

ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term network-control from precedence net-control
user@switch# set term network-control then forwarding-class network-control
user@switch# set term network-control then loss-priority low
5.
Define the term tcp-connection to configure rate limits for TCP traffic:
ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term tcp-connection from destination-address 192.0.2.16/28
user@switch# set term tcp-connection from protocol tcp
user@switch# set term tcp-connection then policer tcp-connection-policer
user@switch# set term tcp-connection then count tcp-counter
user@switch# set term tcp-connection then forwarding-class best-effort
user@switch# set term tcp-connection then loss-priority high
6.
Define the term icmp-connection to configure rate limits for ICMP traffic:
1281
user@switch# set
192.0.2.16/28
user@switch# set
user@switch# set
user@switch# set
user@switch# set
user@switch# set
7.
term icmp-connection from destination-address

term
term
term
term
term
icmp-connection
icmp-connection
icmp-connection
icmp-connection
icmp-connection
from
then
then
then
then
protocol icmp
policer icmp-policer
count icmp-counter
forwarding-class best-effort
loss-priority high
Define the term best-effort with no match conditions for an implicit match on
all packets that did not match any other term in the firewall filter:
user@switch# set term best-effort then forwarding-class best-effort
user@switch# set term best-effort then loss-priority high
8.
Apply the firewall filter ingress-port-voip-class-limit-tcp-icmp as an input filter to

the port interfaces for employee-vlan :
[edit interfaces]
user@switch# set ge-0/0/0 description "voice priority and tcp and
traffic rate-limiting filter at ingress port"
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter
user@switch# set ge-0/0/1 description "voice priority and tcp and
traffic rate-limiting filter at ingress port"
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter
9.
icmp
input
icmp
input
Configure the parameters that are desired for the different schedulers.
NOTE: When you configure parameters for the schedulers, define the numbers to
match your network traffic patterns.
[edit class-of-service]
user@switch# set schedulers voice-high buffer-size percent 15
user@switch# set schedulers voice-high priority high
user@switch# set schedulers networkcontrol buffer-size percent 10
user@switch# set schedulers networkcontrol priority high
user@switch# set schedulers best-effort buffer-size percent 75
user@switch# set schedulers best-effort priority low
10.
Assign the forwarding-classes to schedulers with a scheduler map:

user@switch# set scheduler-maps ethernet-diffsrv-cos-map
user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
network-control scheduler net-control
1282

best-effort scheduler best-effort
11.
Associate the scheduler map with the outgoing interface:

edit class-of-service
user@switch# set interfaces ge0/1/0 scheduler-map ethernet-diffsrv-cos-map
Results

user@switch# show
firewall {
policer tcp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
policer icmp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
filter ingress-port-voip-class-limit-tcp-icmp {
term voip-high {
from {
destination-mac-address 00.05.85.00.00.01;
destination-mac-address 00.05.85.00.00.02;
protocol udp;
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term network-control {
from {
precedence net-control ;
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term tcp-connection {
1283
from {
destination-address 192.0.2.16/28;
protocol tcp;
}
then {
policer tcp-connection-policer;
count tcp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term icmp-connection
from {
protocol icmp;
}
then {
policer icmp-connection-policer;
count icmp-counter;
loss-priority high;
}
}
term best-effort {
then {
loss-priority high;
}
}
}
}
}
interfaces {
ge-0/0/0 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
ge-0/0/1 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
}
scheduler-maps {
1284
ethernet-diffsrv-cos-map {
forwarding-class expedited-forwarding scheduler voice-high;
forwarding-class network-control scheduler net-control;
forwarding-class best-effort scheduler best-effort;
}
}
interfaces {
ge/0/1/0 {
scheduler-map ethernet-diffsrv-cos-map;
}
}
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP
Traffic
these tasks:
To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from
using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy
the following commands and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper from destination-address 192.0.2.14
to-gatekeeper from destination-port 80
to-gatekeeper then accept
from-gatekeeper from source-address 192.0.2.14
from-gatekeeper from source-port 80
from-gatekeeper then accept
not-gatekeeper from destination-port 80
not-gatekeeper then count rogue-counter
not-gatekeeper then discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block
term
term
term
term
term
term
term
term
term
To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices
from using HTTP to mimic the gatekeeper device that manages VoIP traffic:
1.
Define the firewall filter ingress-vlan-rogue-block to specify filter matching on the

traffic you want to permit and restrict:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-vlan-rogue-block
2.
Define the term to-gatekeeper to accept packets that match the destination IP
address of the gatekeeper:
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
1285
[edit firewall family

user@switch# set term
3.
Define the term from-gatekeeper to accept packets that match the source IP
address of the gatekeeper:
4.
ethernet-switching filter ingress-vlan-rogue-block]

from-gatekeeper from source-address 192.0.2.14
from-gatekeeper from source-port 80
from-gatekeeper then accept
Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is
destined for the gatekeeper device:
5.

to-gatekeeper from destination-address 192.0.2.14
to-gatekeeper from destination-port 80
to-gatekeeper then accept

not-gatekeeper from destination-port 80
not-gatekeeper then count rogue-counter
not-gatekeeper then discard
Apply the firewall filter ingress-vlan-rogue-block as an input filter to the VLAN

interface for the VoIP telephones:
[edit interfaces]
user@switch# set vlans voicevlan description "block rogue devices on
voice-vlan"
user@switch# set vlans voicevlan filter input ingress-vlan-rogue-block
Results

user@switch# show
firewall {
filter ingress-vlan-rogue-block {
term to-gatekeeper {
from {
destination-port 80;
}
then {
accept;
}
}
term from-gatekeeper {
from {
source-address 192.0.2.14/32
source-port 80;
}
then {
accept;
}
1286
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
}
term not-gatekeeper {
from {
}
then {
count rogue-counter;
discard;
}
}
}
vlans {
voice-vlan {
description "block rogue devices on voice-vlan";
filter {
input ingress-vlan-rogue-block;
}
}
}
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the
Employee VLAN
these tasks:
A firewall filter is configured and applied to VLAN interfaces to filter employee-vlan

egress traffic. Employee traffic destined for the corporate subnet is accepted but not
monitored. Employee traffic destined for the Web is counted and analyzed.
To quickly configure and apply a VLAN firewall filter, copy the following commands
[edit]
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-corp from destination-address 192.0.2.16/28
employee-to-corp then accept
employee-to-web from destination-port 80
employee-to-web then count employee-web-counter
employee-to-web then analyzer employee-monitor
set vlans employee-vlan description "filter at egress VLAN to count and analyze
employee to Web traffic"
set vlans employee-vlan filter output egress-vlan-watch-employee
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
1287
To configure and apply an egress port firewall filter to count and analyze
employee-vlan traffic that is destined for the Web:
1.
Define the firewall filter egress-vlan-watch-employee:

[edit firewall]
2.
Define the term employee-to-corp to accept but not monitor all employee-vlan
traffic destined for the corporate subnet:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-corp from destination-address
192.0.2.16/28
user@switch# set term employee-to-corp then accept
3.
Define the term employee-to-web to count and monitor all employee-vlan traffic
destined for the Web:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-web from destination-port 80
user@switch# set term employee-to-web then count employee-web-counter
user@switch# set term employee-to-web then analyzer employee-monitor
NOTE: See Example: Configuring Port Mirroring for Local Monitoring of Employee
Resource Use on EX Series Switches on page 1599 for information about configuring
the employee-monitor analyzer.
4.
Apply the firewall filter egress-vlan-watch-employee as an output filter to the port

interfaces for the VoIP telephones:
[edit]
user@switch# set vlans employee-vlan description "filter at egress VLAN
to count and analyze employee to Web traffic"
user@switch# set vlans employee-vlan filter output
Results

user@switch# show
firewall {
filter egress-vlan-watch-employee {
term employee-to-corp {
from {
}
then {
accept;
1288
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
}
}
term employee-to-web {
from {
}
then {
count employee-web-counter:
analyzer employee-monitor;
}
}
}
}
}
vlans {
employee-vlan {
description "filter at egress VLAN to count and analyze employee to Web traffic";
filter {
output egress-vlan-watch-employee;
}
}
}
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer

Applications on the Guest VLAN
these tasks:
In the following example, the first filter term permits guests to talk with other guests
but not employees on employee-vlan. The second filter term allows guests Web access
but prevents them from using peer-to-peer applications on guest-vlan.
To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking
guests from talking with employees or employee hosts on employee-vlan or attempting
to use peer-to-peer applications on guest-vlan, copy the following commands and
[edit]
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest from destination-address 192.0.2.33/28
guest-to-guest then accept
no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF
no-guest-employee-no-peer-to-peer then accept
set vlans guest-vlan description "restrict guest-to-employee traffic and
peer-to-peer applications on guest VLAN"
set vlans guest-vlan filter input ingress-vlan-limit-guest
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
1289
To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and
peer-to-peer applications on guest-vlan:
1.
Define the firewall filter ingress-vlan-limit-guest:

[edit firewall]
set firewall family ethernet-switching filter ingress-vlan-limit-guest
2.
Define the term guest-to-guest to permit guests on the guest-vlan to talk with
other guests but not employees on the employee-vlan:
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]
user@switch# set term guest-to-guest from destination-address 192.0.2.33/28
user@switch# set term guest-to-guest then accept
3.
Define the term no-guest-employee-no-peer-to-peer to allow guests on guest-vlan

Web access but prevent them from using peer-to-peer applications on the
guest-vlan.
NOTE: The destination-mac-address is the default gateway, which for any host in a
VLAN is the next-hop router.
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]

user@switch# set term no-guest-employee-no-peer-to-peer from
destination-mac-address 00.05.85.00.00.DF
user@switch# set term no-guest-employee-no-peer-to-peer then accept
4.
Apply the firewall filter ingress-vlan-limit-guest as an input filter to the interface

for guest-vlan :
[edit]
user@switch# set vlans guest-vlan description "restrict guest-to-employee
traffic and peer-to-peer applications on guest VLAN"
user@switch# set vlans guest-vlan filter input ingress-vlan-limit-guest
Results

user@switch# show
firewall {
filter ingress-vlan-limit-guest {
term guest-to-guest {
from {
}
then {
accept;
}
}
term no-guest-employee-no-peer-to-peer {
1290
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
from {
destination-mac-address 00.05.85.00.00.DF;
}
then {
accept;
}
}
}
}
}
vlans {
guest-vlan {
description "restrict guest-to-employee traffic and peer-to-peer applications on
guest VLAN";
filter {
input ingress-vlan-limit-guest;
}
}
}
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the
Corporate Subnet
these tasks:
To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter
employee-vlan traffic, giving highest forwarding-class priority to traffic destined for
the corporate subnet, copy the following commands and paste them into the switch
terminal window:
[edit]
set firewall family inet filter egress-router-corp-class term corp-expedite from
set firewall family inet filter egress-router-corp-class term corp-expedite then
forwarding-class expedited-forwarding
set firewall family inet filter egress-router-corp-class term corp-expedite then
loss-priority low
set firewall family inet filter egress-router-corp-class term not-to-corp then
accept
set interfaces ge-0/1/0 description "filter at egress router to expedite destined
for corporate network"
set ge-0/1/0 unit 0 family inet address 103.104.105.1
set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class
To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to
give highest priority to employee-vlan traffic destined for the corporate subnet:
1.
Define the firewall filter egress-router-corp-class:

[edit]
user@switch# set firewall family inet filter egress-router-corp-class
2.
Define the term corp-expedite:
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
1291
[edit firewall]
user@switch# set family inet filter egress-router-corp-class term
corp-expedite from destination-address 192.0.2.16/28
corp-expedite then forwarding-class expedited-forwarding
corp-expedite then loss-priority low
3.
Define the term not-to-corp:

[edit firewall]
not-to-corp then accept
4.
Apply the firewall filter egress-router-corp-class as an output filter for the port
on the switch's uplink module, which provides a Layer 3 connection to a router:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter at egress router to expedite
employee traffic destined for corporate network"
user@switch# set ge-0/1/0 unit 0 family inet address 103.104.105.1
user@switch# set ge-0/1/0 unit 0 family inet filter output
egress-router-corp-class
Results

user@switch# show
firewall {
family inet {
filter egress-router-corp-class {
term corp-expedite {
from {
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term not-to-corp {
then {
accept;
}
}
}
}
}
interfaces {
ge-0/1/0 {
unit 0 {
description "filter at egress router interface to expedite employee traffic
destined for corporate network";
family inet {
1292
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
source-address 103.104.105.1
filter {
output egress-router-corp-class;
}
}
}
}
}
Verification
To confirm that the firewall filters are working properly, perform the following tasks:
Verifying that Firewall Filters and Policers are Operational on page 1293
Verifying that Schedulers and Scheduler-Maps are Operational on page 1293
Verifying that Firewall Filters and Policers are Operational

Purpose
Action
Verify the operational state of the firewall filters and policers that are configured on
the switch.
user@switch> show firewall
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
tcp-counter
Policers:
Name
Packets
0
0
Packets
0
0
Filter: ingress-vlan-rogue-block
Filter: egress-vlan-watch-employee
Counters:
Name
employee-webcounter
Meaning
Packets
0
The show firewall command displays the names of the firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for all configured counters and the packet count for all policers.
Verifying that Schedulers and Scheduler-Maps are Operational

Purpose
Action
Verify that schedulers and scheduler-maps are operational on the switch.

user@switch>
show class-of-service scheduler-map
Scheduler map: default, Index: 2
Verification
1293
Scheduler: default-be, Forwarding class:

Transmit rate: 95 percent, Rate Limit:
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1
best-effort, Index: 20
none, Buffer size: 95 percent,
Name
default-drop-profile
Scheduler: default-nc, Forwarding class: network-control, Index: 22

Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1
default-drop-profileScheduler map:
ethernet-diffsrv-cos-map, Index: 21657
Scheduler: best-effort, Forwarding class: best-effort, Index: 61257
Transmit rate: remainder, Rate Limit: none, Buffer size: 75 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
High
non-TCP
1
High
TCP
1
Scheduler: voice-high, Forwarding class: expedited-forwarding, Index: 3123
Priority: high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1
Scheduler: net-control, Forwarding class: network-control, Index: 2451
Priority: high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1
Meaning
Related Topics
1294
Displays statistics about the configured schedulers and schedulers-maps.

Resource Use on EX Series Switches on page 1605
Verifying that Schedulers and Scheduler-Maps are Operational

Device on EX Series Switches
Administrators can configure filter-based forwarding on an EX Series switch by using
a firewall filter to forward matched traffic to a specific virtual routing instance.
This example describes how to set up filter-based forwarding:
Requirements

In this example, traffic from one application server that is destined for a different
application server is matched by a firewall filter based on the IP address. Any
matching packets are routed to a particular virtual routing instance that first sends
all traffic to a security device, then forwards it to the designated destination address.
Configuration
To configure filter-based forwarding:
To quickly create and configure filter-based forwarding, copy the following commands
[edit]
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24
set firewall family inet filter fil term t1 from source-address 1.1.1.1/32
set firewall family inet filter fil term t1 from protocol tcp
set interfaces ge-0/0/0 unit 0 family inet filter input fil
set routing-instances vrf01 instance-type virtual-router
set routing-instances vrf01 interface ge-0/0/1.0
set routing-instances vrf01 interface ge-0/0/3.0
set routing-instances vrf01 routing-options static route 12.34.56.0/24 next-hop
10.1.3.254
Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
1295
set firewall family inet filter fil term t1 then routing-instance vrf01
To configure filter-based forwarding:

1.
Create interfaces to the application servers:

[edit]
user@switch# set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24
user@switch# set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24
2.
Create a firewall filter that matches the correct source address:

[edit]
user@switch# set firewall family inet filter fil term t1 from
user@switch# set firewall family inet filter fil term t1 from protocol
tcp
3.
Associate the filter with the source application servers interface:

[edit]
user@switch# set interfaces ge-0/0/0 unit 0 family inet filter input fil
4.
Create a virtual router:

[edit]
user@switch# set routing-instances vrf01 instance-type virtual-router
5.
Associate the interfaces with the virtual router:

[edit]
user@switch# set routing-instances vrf01 interface ge-0/0/1.0
user@switch# set routing-instances vrf01 interface ge-0/0/3.0
6.
Configure the routing information for the virtual routing instance:

[edit]
user@switch# set routing-instances vrf01 routing-options static route
12.34.56.0/24 next-hop 10.1.3.254
7.
Set the filter to forward packets to the virtual router you created:
[edit]
user@switch# set firewall family inet filter fil term t1 then
routing-instance vrf01
Results

interfaces {
ge-0/0/0 {
unit 0 {
1296
Configuration
family inet {
filter {
input fil;
}
address 10.1.0.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.1.3.1/24;
}
}
}
}
firewall {
family inet {
filter fil {
term t1 {
from {
source-address {
1.1.1.1/32;
}
protocol tcp;
}
then {
routing-instance vrf01;
}
}
}
}
}
routing-instances {
vrf01 {
routing-options {
static {
route 12.34.56.0/24 next-hop 10.1.3.254;
}
}
}
}
Verification
Verifying That Filter-Based Forwarding Was Configured on page 1297
Verifying That Filter-Based Forwarding Was Configured

Purpose
Verify that filter-based forwarding was properly enabled on the switch.
Verification
1297
Action
1.
Use the show interfaces filters command:

user@switch>
Interface
ge-0/0/0.0
2.
show interfaces filters ge-0/0/0.0

Admin Link Proto Input Filter
up
down inet fil
Use the show route forwarding-table command:

user@switch>
show route forwarding-table
Routing table: default.inet

Internet:
Destination
Type RtRef
default
user
1
default
perm
0
0.0.0.0/32
perm
0
10.1.0.0/24
ifdn
0
ge-0/0/0.0
10.1.0.0/32
iddn
0
ge-0/0/0.0
10.1.0.1/32
user
0
10.1.0.1/32
intf
0
10.1.0.1/32
iddn
0
10.1.0.255/32
iddn
0
ge-0/0/0.0
10.1.1.0/26
ifdn
0
10.1.1.0/32
iddn
0
10.1.1.1/32
user
0
10.1.1.1/32
intf
0
10.1.1.1/32
iddn
0
10.1.1.63/32
iddn
0
255.255.255.255/32 perm
0
Routing table: vrf01.inet
Internet:
Destination
Type RtRef
default
perm
0
0.0.0.0/32
perm
0
10.1.3.0/24
ifdn
0
ge-0/0/3.0
10.1.3.0/32
iddn
0
ge-0/0/3.0
10.1.3.1/32
user
0
10.1.3.1/32
intf
0
10.1.3.1/32
iddn
0
10.1.3.255/32
iddn
0
ge-0/0/3.0
224.0.0.0/4
perm
0
224.0.0.1/32
perm
0
255.255.255.255/32 perm
0
Next hop
0:12:f2:21:cf:0

ucst
331
4 me0.0
rjct
36
3
dscd
34
1
rslv
613
1
10.1.0.0
recv
611
10.1.0.1
10.1.0.1
10.1.0.255
rjct
locl
locl
bcst
36
612
612
610
3
2
2
1
rslv
recv
rjct
locl
locl
bcst
bcst
583
581
36
582
582
580
32
1 vlan.0
1 vlan.0
3
2
2
1 vlan.0
1
10.1.1.0
10.1.1.1
10.1.1.1
10.1.1.63
Next hop

rjct
559
2
dscd
545
1
rslv
617
1
10.1.3.0
recv
615
10.1.3.1
10.1.3.1
10.1.3.255
rjct
locl
locl
bcst
559
616
616
614
2
2
2
1
mdsc
mcst
bcst
546
529
543
1
1
1
224.0.0.1
Routing table: default.iso

ISO:
Destination
Type RtRef Next hop
default
perm
0
Routing table: vrf01.iso
1298
Output Filter

rjct
60
1
ISO:
Destination
default
Meaning
Related Topics
Type RtRef Next hop

perm
0

rjct
600
1
The output indicates that the filter was created on the interface and that the virtual
routing instance is forwarding matching traffic to the correct IP address.
1299
1300
Chapter 64

Behavior (CLI Procedure) on page 1313
Configuring Firewall Filters (CLI Procedure)

You configure firewall filters on EX Series switches to control traffic that enters ports
on the switch or enters and exits VLANs on the network and Layer 3 (routed)
interfaces. To configure a firewall filter you must configure the filter and then apply
it to a port, VLAN, or Layer 3 interface.
Configuring a Firewall Filter on page 1301
Applying a Firewall Filter to a Port on a Switch on page 1304
Applying a Firewall Filter to a VLAN on a Network on page 1305
Applying a Firewall Filter to a Layer 3 (Routed) Interface on page 1305
Configuring a Firewall Filter

To configure a firewall filter:
Configuring Firewall Filters (CLI Procedure)
1301
1.
Configure the family address type for the firewall filter:
For a firewall filter that is applied to a port or VLAN, specify the family
address type ethernet-switching to filter Layer 2 (Ethernet) packets and Layer
3 (IP) packets, for example:
[edit firewall]
user@switch# set family ethernet-switching
For a firewall filter that is applied to a Layer 3 (routed) interface, specify the
family address type inet to filter IPv4 packets, for example:
[edit firewall]
user@switch# set family inet
2.
Specify the filter name:

user@switch# set filter ingress-port-filter
The filter name can contain letters, numbers, and hyphens (-) and can contain
up to 64 characters. Each filter name must be unique.
3.
If you want to apply a firewall filter to multiple interfaces and name individual
firewall counters specific to each interface, configure the interface-specific option:
[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set interface-specific
4.
Specify a term name:

[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set term term-one
The term name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long.
A firewall filter can contain one or more terms. Each term name must be unique
within a filter.
NOTE: For EX3200 and EX4200 switches, the maximum number of terms allowed
per firewall filter is 2048. For EX8200 switches, the maximum number of terms
allowed per firewall filter is 32768. If you attempt to configure a firewall filter that
exceeds these limits, the switch returns an error message when you commit the
configuration.
5.
1302
In each firewall filter term, specify the match conditions to use to match
components of a packet.
Chapter 64: Configuring Firewall Filters
To specify match conditions to match on packets that contain a specific

source-address and source-portfor example:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]
user@switch# set from source-address 192.0.2.14
user@switch# set from source-port 80
You can specify one or more match conditions in a single from statement. For
a match to occur, the packet must match all the conditions in the term.
The from statement is optional, but if included in a term, the from statement
cannot be empty. If you omit the from statement, all packets are considered to
match.
6.
In each firewall filter term, specify the actions to take if the packet matches all
the conditions in that term.
You can specify an action and/or action modifiers:
To specify a filter action, for example, to discard packets that match the
conditions of the filter term:
term-one]
user@switch# set then discard
You can specify no more than one action (accept, discard, or routing-instance)
per filter term.
To specify action modifiers, for example, to count and classify packets in a

forwarding class:
term-one]
user@switch# set then count counter-one
user@switch# set then forwarding-class expedited-forwarding
You can specify any of the following action modifiers in a then statement:
analyzer analyzer-nameMirror port traffic to a specified destination port

or VLAN that is connected to a protocol analyzer application. An analyzer
must be configured under the ethernet-switching family address type.
See Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on

page 1613.
count counter-nameCount the number of packets that pass this filter
term.
1303
NOTE: We recommend that you configure a counter for each term in a firewall filter,
so that you can monitor the number of packets that match the conditions specified
in each filter term.
forwarding-class classClassify packets in a forwarding class.
loss-priority prioritySet the priority of dropping a packet.
policer policer-nameApply rate-limiting to the traffic.
If you omit the then statement or do not specify an action, packets that match
all the conditions in the from statement are accepted. However, you must always
explicitly configure an action and/or action modifier in the then statement. You
can include no more than one action statement, but you can use any combination
of action modifiers. For an action or action modifier to take effect, all conditions
in the from statement must match.
NOTE: Implicit discard is also applicable to a firewall filter applied to the loopback
interface, lo0.
Applying a Firewall Filter to a Port on a Switch

To apply a firewall filter to an ingress port on a switch:
1.
Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter
at trunk port for employee-vlan and voice-vlan applied on the interface"
NOTE: Providing the description is optional.
2.
Specify the unit number and family address type for the interface:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching
For firewall filters that are applied to ports, the family address type must be
ethernet-switching.
3.
To apply a firewall filter to filter packets that are entering a port:

[edit interfaces]
1304
Applying a Firewall Filter to a Port on a Switch
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input

ingress-port-filter
You cannot apply a firewall filter to filter packets that are exiting ports.
NOTE: You can apply no more than one firewall filter per ingress port.
Applying a Firewall Filter to a VLAN on a Network

To apply a firewall filter to a VLAN:
1.
Specify the VLAN name and VLAN ID and provide a meaningful description of
the firewall filter and the VLAN to which the filter is applied:
[edit vlans]
user@switch# set employee-vlan vlan 20 vlan-description "filter to rate
limit traffic applied on employee-vlan"
2.
Apply firewall filters to filter packets that are entering or exiting the VLAN:
To apply a firewall filter to filter packets that are entering the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter input ingress-vlan-filter
To apply a firewall filter to filter packets that are exiting the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter
NOTE: You can apply no more than one firewall filter per VLAN, per direction.
Applying a Firewall Filter to a Layer 3 (Routed) Interface

To apply a firewall filter to a Layer 3 routed interface on a switch:
1.
Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
Applying a Firewall Filter to a VLAN on a Network
1305
user@switch# set ge-0/1/0 description "filter to count and monitor

employee-vlan traffic applied on layer 3 interface"
2.
Specify the unit number, family address type, and address for the interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24
For firewall filters applied to Layer 3 routed interfaces, the family address type
must be inet.
3.
You can apply firewall filters to filter packets that are entering or exiting a Layer 3
routed interface:
To apply a firewall filter to filter packets that are entering a Layer 3 interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter
input ingress-router-filter
To apply a firewall filter to filter packets that are exiting a Layer 3 interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter
output egress-router-filter
NOTE: You can apply no more than one firewall filter per Layer 3 interface, per
direction.
Related Topics
1306

Verifying That Firewall Filters Are Operational on page 1315
Monitoring Firewall Filter Traffic on page 1316

Behavior (CLI Procedure) on page 1313
Applying a Firewall Filter to a Layer 3 (Routed) Interface
Configuring Firewall Filters (J-Web Procedure)

You configure firewall filters on EX Series switches to control traffic that enters ports
on the switch or enters and exits VLANs on the network and Layer 3 (routed)
interfaces. To configure a firewall filter you must configure the filter and then apply
it to a port, VLAN, or Layer 3 interface.
To configure firewall filters settings using the J-Web interface:
1.
Select Configure > Security > Filters.

The Firewall Filter Configuration page displays a list of all configured port/VLAN
or router filters and the ports or VLANs associated with a particular filter.
2.
Click one:
AddSelect this option to create a new filter. Enter information as specified

EditSelect this option to edit an existing filter. Enter information as

specified in Table 164 on page 1307.
DeleteSelect this option to delete a filter.
Term UpSelect this option to move a term up in the filter term list.
Term DownSelect this option to move a term down in the filter term list.
Table 164: Create a New Filter

Field
Function
Your Action
Filter type
Specifies the filter type: port/VLAN firewall filter or

router firewall filter.
Select the filter type.
Filter name
Specifies the name for the filter.
Enter a name.
Select terms to be part

of the filter
Specifies the terms to be associated with the filter. Add

new terms or edit existing terms.
Click Add to add new terms. Enter

information as specified in Table 165 on
page 1308 and Table 166 on page 1309.
Specifies the ports with which the filter is associated.
1.
Click Add.
NOTE: For a port/VLAN filter type, only Ingress

direction is supported for port association.
2.
Select the direction: Ingress or Egress.
3.
Select the ports.
4.
Click OK.
Filter tab
Association tab
Port Associations
1307
Table 164: Create a New Filter (continued)

Field
Function
Your Action
VLAN Associations
Specifies the VLANs with which the filter is associated.
1.
Click Add.
NOTE: Because router firewall filters can be associated

with ports only, this section is not displayed for a router
firewall filter.
2.
Select the direction: Ingress or Egress.
3.
Select the VLANs.
4.
Click OK.
Table 165: Create a New Term

Field
Function
Your Action
Term Name
Specifies the name of the term.
Enter a name.
Protocols
Specifies the protocols to be associated with

the term.
1.
Click Add.
2.
Select the protocols.
3.
Click OK.
Source
Specifies the source IP address, MAC address,

and available ports.
To specify the IP address, click Add > IP and enter the IP

address.
NOTE: MAC address is specified only for

port/VLAN filters.
To specify the MAC address, click Add > MAC and enter the
MAC address.
To specify the ports (interfaces), click Add > Ports and enter
the port number.
To delete the IP address, MAC address, or port details, select
it and click Remove.
Destination
Specifies the destination IP address, MAC

address, and available ports.
To specify the IP address, click Add > IP and enter the IP

address.
NOTE: MAC address is specified only for

port/VLAN filters.
To specify the MAC address, click Add > MAC and enter the
MAC address.
To specify the ports (interfaces), click Add > Ports and enter
the port number.
To delete the IP address, MAC address, or port details, select
it and click Remove.
Action
Specifies the packet action for the term.
More
Specifies advanced configuration options for

the filter.
Select one:
Accept
Discard
Select the match conditions as specified in Table 166 on page

1309.
Select the packet action for the term as specified in Table 166
on page 1309.
1308
Table 166: Advanced Options for Terms

Table
Function
Your Action
ICMP Type
Specifies the ICMP packet type field. Typically, you specify this match
condition in conjunction with the protocol match condition to determine
Select the option from the list.
ICMP Code
Specifies more specific information than ICMP type. Because the values
meaning depends upon the associated ICMP type, you must specify
icmp-type along with icmp-code. The keywords are grouped by the ICMP
type with which they are associated.
DSCP
Specifies the Differentiated Services code point (DSCP). The DiffServ

protocol uses the type-of-service (ToS) byte in the IP header. The most
significant six bits of this byte form the DSCP.
Select the DSCP number from

the list.
Precedence
Specifies IP precedence.
NOTE: IP precedence and DSCP number cannot be specified together

for the same term.
IP Options
Specifies the presence of the options field in the IP header.
Interface
Specifies the interface on which the packet is received.
Select the interface from the list.
Ether type
Specifies the Ethernet type field of a packet.
NOTE: This option is not applicable for a routing filter.

Dot 1q user
priority
Specifies the user-priority field of the tagged Ethernet packet.

User-priority values can be 07.
In place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed)
background (1)Background
best-effort (0)Best effort
controlled-load (4)Controlled load
excellent-load (3)Excellent load
network-control (7)Network control reserved traffic
standard (2)Standard or Spare
video (5)Video
voice (6)Voice

VLAN
Specifies the VLAN to be associated with the packet.
Select the VLAN from the list.

TCP Flags
Specifies one or more TCP flags.

NOTE: TCP flags are supported on ingress ports, VLANs, and router
interfaces.
Select the option TCP Initial or

enter a combination of TCP
flags.
1309
Table 166: Advanced Options for Terms (continued)

Table
Function
Your Action
Fragmentation
Flags
Specifies the IP fragmentation flags.
Select either the option

is-fragment or enter a
combination of fragment action
flags.
NOTE: Fragmentation flags are supported on ingress ports, VLANs,

and router interfaces.
Dot1q tag
Specifies the value for tag field in the Ethernet header. Values can be
from 1 through 4095.
Enter the value.

Action
Counter name
Specifies the count of the number of packets that pass this filter, term,
or policer.
Enter a value.
Forwarding class
Classifies the packet into one of the following forwarding classes:
Loss priority
assured-forwarding
best-effort
network-control
user-defined
Specifies the packet loss priority.
Enter the value.
NOTE: Forwarding class and loss priority should be specified together

for the same term.
Analyzer
Specifies whether to perform port-mirroring on packets. Port-mirroring

copies all packets entering one switch port to a network monitoring
connection on another switch port.
Related Topics
Select the analyzer (port

mirroring configuration) from
the list.
Configuring Policers to Control Traffic Rates (CLI Procedure)

You can configure policers to rate limit traffic on EX Series switches. After you
configure a policer, you can include it in an ingress firewall filter configuration.
When you configure a firewall filter, you can specify a policer action for any term or
terms within the filter. All traffic that matches a term that contains a policer action
goes through the policer that the term references. Each policer that you configure
1310
Configuring Policers to Control Traffic Rates (CLI Procedure)
includes an implicit counter. To get term-specific packet counts, you must configure
a new policer for each filter term that requires policing.
The following policer limits apply on the switch:
A maximum of 512 policers can be configured for port firewall filters.
A maximum of 512 policers can be configured for VLAN and Layer 3 firewall
filters.
If the policer configuration exceeds these limits, the switch returns the following
message after the commit operation:
Cannot assign policers: Max policer limit reached
1. Configuring Policers on page 1311

2. Specifying Policers in a Firewall Filter Configuration on page 1312
3. Applying a Firewall Filter That Is Configured with a Policer on page 1312
Configuring Policers
To configure a policer:
1.
Specify the name of the policer:

[edit firewall]
user@switch# set policer policer-one
The policer name can contain letters, numbers, and hyphens (-) and can be up
to 64 characters long.
2.
Configure rate limiting for the policer:

a.
Specify the bandwidth limit in bits per second (bps) to control the traffic rate
on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

b.
Specify the maximum allowed burst size to control the amount of traffic
bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of
the interface on which the filter is applied by the amount of time to allow a
burst of traffic at that bandwidth to occur:
Configuring Policers
1311
burst size = bandwidth * allowable time for burst traffic

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
3.
Specify the policer action discard to discard packets that exceed the rate limits:
[edit firewall policer]
user@switch# set policer-one then discard
Discard is the only supported policer action.
Specifying Policers in a Firewall Filter Configuration

To reference a policer, configure a filter term that includes the policer action:
user@switch# set filter limit-hosts term term-one from source-address 192.0.2.16/28
userswitch# set filter limit-hosts term term-one then policer policer-one
Applying a Firewall Filter That Is Configured with a Policer

A firewall filter that is configured with one or more policer actions, like any other
filter, must be applied to a port, VLAN, or Layer 3 interface. For information about
applying firewall filters, see the sections on applying firewall filters in Configuring
Firewall Filters (CLI Procedure) on page 1301.
NOTE: You can include policer actions on ingress firewall filters only.
Related Topics
1312
Verifying That Policers Are Operational on page 1316
Specifying Policers in a Firewall Filter Configuration

Behavior (CLI Procedure)
You can configure firewall filters with multifield classifiers to classify packets transiting
a port, VLAN, or Layer 3 interface on an EX Series switch.
You specify multifield classifiers in a firewall filter configuration to set the forwarding
class and packet loss priority (PLP) for incoming or outgoing packets. By default, the
data traffic that is not classified is assigned to the best-effort class associated with
queue 0.
You can specify any of the following default forwarding classes:
Forwarding class
Queue
best-effort
assured-forwarding
network-control
To assign multifield classifiers in firewall filters:

1.
Configure the family name and filter name for the filter at the [edit firewall]
hierarchy level, for example:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-filter
2.
Configure the terms of the filter, including the forwarding-class and loss-priority
action modifiers as appropriate. When you specify a forwarding class you must
also specify the packet loss priority. For example, each of the following terms
examines different packet header fields and assigns an appropriate classifier
and the packet loss priority:
The term voice-traffic matches packets on the voice-vlan and assigns the
forwarding class expedited-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term voice-traffic from vlan-id voice-vlan
user@switch# set term voice-traffic then forwarding-class
user@switch# set term voice-traffic then loss-priority low
The term data-traffic matches packets on employee-vlan and assigns the

forwarding class assured-forwarding and packet loss priority low:
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
1313
[edit firewall family ethernet-switching filter ingress-filter]

user@switch# set term data-traffic from vlan-id employee-vlan
user@switch# set term data-traffic then forwarding-class assured-forwarding
user@switch# set term data-traffic then loss-priority low
Because loss of network-generated packets can jeopardize proper network

operation, delay is preferable to discard of packets. The following term,
network-traffic, assigns the forwarding class network-control and packet loss
priority low:
The last term accept-traffic matches any packets that did not match on any
of the preceding terms and assigns the forwarding class best-effort and packet
loss priority low:
Related Topics
1314
ethernet-switching filter ingress-filter]

network-traffic from precedence net-control
network-traffic then forwarding-class network
network-traffic then loss-priority low
ethernet-switching filter ingress-filter]

accept-traffic from precedence net-control
accept-traffic then forwarding-class best-effort
accept-traffic then loss-priority low
3.
Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information
about applying the filter, see Configuring Firewall Filters (CLI Procedure) on
page 1301.
Defining CoS Classifiers (CLI Procedure) on page 1394
Defining CoS Classifiers (J-Web Procedure) on page 1396
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
Chapter 65
Verifying Firewall Filters
Verifying That Firewall Filters Are Operational

Purpose
Action
After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces,
you can perform the following task to verify that the firewall filters configured on EX
Series switches are working properly.
Use the operational mode command to verify that the firewall filters on the switch
are working properly:
Counters:
Name
counter-employee-web
Counters:
Name
icmp-counter
Policers:
Name
Filter: ingress-vlan-limit-guest
Meaning
Related Topics
Bytes
0
Packets
0
Bytes
0
Packets
0
Packets
0
0
The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. For each counter that is specified in a
filter configuration, the output field shows the byte count and packet count for the
term in which the counter is specified. For each policer that is specified in a filter
configuration, the output field shows the packet count for packets that exceed the
specified rate limits.
Verifying That Firewall Filters Are Operational
1315
Verifying That Policers Are Operational

Purpose
Action
After you configure policers and include them in firewall filter configurations, you
can perform the following tasks to verify that the policers configured on EX Series
switches are working properly.
Use the operational mode command to verify that the policers on the switch are
working properly:
user@switch> show policer
Filter: ingress-port-filter
Policers:
Name
Meaning
Related Topics
Packets
0
0
The show policer command displays the names of all firewall filters and policers that
are configured on the switch. For each policer that is specified in a filter configuration,
the output field shows the current packet count for all packets that exceed the
specified rate limits.
Monitoring Firewall Filter Traffic

You can monitor firewall filter traffic on EX Series switches.
1316
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on
the Switch on page 1317
Monitoring Traffic for a Specific Firewall Filter on page 1317
Monitoring Traffic for a Specific Policer on page 1317
Verifying That Policers Are Operational
Chapter 65: Verifying Firewall Filters
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
Purpose
Action
Perform the following task to monitor the number of packets and bytes that matched
the firewall filters and monitor the number of packets that exceeded policer rate
limits:
Counters:
Name
counter-employee-web
Counters:
Name
icmp-counter
Policers:
Name
Meaning
Bytes
3348
Packets
27
Bytes
4100
Packets
49
Packets
0
0
The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for counters and packet count for policers.
Monitoring Traffic for a Specific Firewall Filter

Purpose
Action
Perform the following task to monitor the number of packets and bytes that matched
a firewall filter and monitor the number of packets that exceeded the policer rate
limits.
user@switch> show firewall filter ingress-vlan-rogue-block
Counters:
Name
Bytes
rogue-counter
2308
Meaning
Packets
20
The show firewall filter filter-name command displays the name of the firewall filter,
the packet and byte count for all counters configured with the filter, and the packet
count for all policers configured with the filter.
Monitoring Traffic for a Specific Policer

Purpose
Action
Perform the following task to monitor the number of packets that exceeded policer
rate limits:
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
1317
user@switch> show policer tcp-connection-policer

Policers:
Name
Meaning
Related Topics
1318
Packets
0
The show policer policer-name command displays the name of the firewall filter that
specifies the policer-action and displays the number of packets that exceeded rate
limits for the specified filter.
Monitoring Traffic for a Specific Policer
Chapter 66
Troubleshooting Firewall Filters on page 1319

1. Firewall Filter Configuration Returns a No Space Available in TCAM
Message on page 1319
Firewall Filter Configuration Returns a No Space Available in TCAM Message

Problem
When a firewall filter configuration exceeds the amount of available TCAM space,
the switch returns the following syslogd message:
No space available in tcam.
Rules for filter filter-name will not be installed.
The switch returns this message during the commit operation if the firewall filter
that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of
available TCAM space. However, the commit operation for the firewall filter
configuration is completed in the CLI module.
Solution
When a firewall filter configuration exceeds the amount of available TCAM table
space, you must configure a new firewall filter with fewer filter terms so that the
space requirements for the filter do not exceed the available space in the TCAM table.
You can perform either of the following procedures to correct the problem:
To delete the firewall filter and its bind points and apply the new smaller firewall
filter to the same bind points:
1.
Delete the firewall filter configuration and the bind points to ports, VLANs, or
Layer 3 interfacesfor example:
[edit]
user@switch# delete firewall family ethernet-switching filter
filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filteringress-vlan
2.
Commit the operation:
1319
[edit]
user@switch# commit
3.
Configure a smaller filter with fewer terms that does not exceed the amount of
available TCAM space on the switchfor example:
[edit]
user@switch# set firewall family ethernet-switching filter
newfilter-ingress-vlan ...
4.
Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interfacefor
example:
[edit]
user@switch# set vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filteringress-vlan
5.

[edit]
user@switch# commit
To apply a new firewall filter and overwrite the existing bind points:
1.
Configure a firewall filter with fewer terms than the original filter:
[edit]
user@switch# set firewall family ethernet-switching filter
new-filter-ingress-vlan...
2.
Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the
bind points of the original filterfor example:
[edit]
user@switch# set vlans voice-vlan description "smaller filter to block
rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan
3.

[edit]
user@switch# commit
Only the original bind points, and not the original firewall filter itself, are deleted.
Related Topics
1320
Chapter 66: Troubleshooting Firewall Filters
1321
1322
Chapter 67
Configuration Statements for Firewall

Filters


firewall {
interface-specific;
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
filter-specific;
if-exceeding {
}
then {
policer-action;
}
}
}
Related Topics

1323

Series Switches
You configure firewall filters to filter packets based on their components and to
perform an action on packets that match the filter.
Table 167 on page 1324 lists the options that are supported for the firewall statement
in JUNOS Software for EX Series switches.
Table 167: Supported Options for Firewall Filter Statements
Statement and Option
}
Description
The family-name option specifies the version or type of
addressing protocol:
bridge or ethernet-switchingFilter Layer 2 (Ethernet)
packets and Layer 3 (IP) packets
inetFilter IPv4 packets
}
The filter-name option identifies the filter. The name can

contain letters, numbers, and hyphens (-) and can be up to
64 characters long. To include spaces in the name, enclose
the name in quotation marks (" " ).
interface-specific
The interface-specific statement configures unique names for

individual firewall counters specific to each interface.
term term-name {
}
The term-name option identifies the term. The name can

the entire name in quotation marks (" " ). Each term name
must be unique within a filter.
from {
match-conditions;
}
The from statement is optional. If you omit it, all packets are
considered to match.
then {
action;
action-modifiers;
}
For information about the action and action-modifiers options,

see Firewall Filter Match Conditions and Actions for EX Series
Switches on page 1256.
}
The policer-name option identifies the policer. The name can

the name in quotation marks (" " ).
filter-specific
The filter-specific statement configures policers and counters

for a specific filter name.
1324
Firewall Filter Configuration Statements Supported by JUNOS Software for EX Series Switches
Chapter 67: Configuration Statements for Firewall Filters
Table 167: Supported Options for Firewall Filter Statements (continued)

Statement and Option
if-exceeding {
bandwidth-limit bps
burst-size-limit bytes
}
Description
The bandwidth-limit bps option specifies the traffic rate in bits
per second (bps).
You can specify bps as a decimal value or as a decimal
number followed by one of the following abbreviations:
k (thousand)
m (million)
g (billion, which is also called a thousand million)
Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

The burst-size-limit bytes option specifies the maximum allowed
burst size to control the amount of traffic bursting. To
determine the value for the burst-size limit, you can multiply
the bandwidth of the interface on which the filter is applied
by the amount of time (in seconds) to allow a burst of traffic
at that bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
You can specify a decimal value or a decimal number followed
by k (thousand) or m (million).
Range: 1 through 2,147,450,880 bytes
then {
policer-action
}
Use the policer-action option to specify discard to discard

traffic that exceeds the rate limits.
JUNOS Software for EX Series switches does not support some of the firewall filter
statements that are supported by other JUNOS Software packages. Table 168 on page
1326 shows the firewall filter statements that are not supported by JUNOS Software
1325
Table 168: Firewall Filter Statements That Are Not Supported by JUNOS Software for EX Series Switches
Statements not supported
Statement hierarchy level
interface-set interface-set-name {
}
load-balance-group group-name {
}
three-color-policer name {
}
logical-interface-policer;
single-rate {
}
two-rate {
}
prefix-action name {
}
prefix-policer {
}
service-filter filter-name {
}
simple-filter simple-filter-name {
}
accounting-profile name;
[edit firewall family family-name filter filter-name]
logical-bandwidth-policer;
[edit firewall policer policer-name]
logical-interface-policer;
[edit firewall family family-name]
bandwidth-percent number;
Related Topics
1326
[edit firewall]
[edit firewall policer policer-name if-exceeding]
bandwidth-limit
Syntax
Hierarchy Level
Release Information
Description
Options

Specify the traffic rate in bits per second.
bps Traffic rate to be specified in bits per second. Specify bps as a decimal value
or as a decimal number followed by one of the following abbreviations:
k (thousand)
m (million)
g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

Related Topics
firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.
burst-size-limit
Syntax
Hierarchy Level
Release Information
Description
Options

Specify the maximum allowed burst size to control the amount of traffic bursting.
bytes Decimal value or a decimal number followed by k (thousand) or m (million).
Range: 1 through 2,147,450,880 bytes

Related Topics

bandwidth-limit
1327
family
Syntax
Hierarchy Level
Release Information
Description
Options
interface-specific;
termterm-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
[edit firewall]

Option interface-specific introduced in JUNOS Release 9.5 for EX Series switches.
Configure a firewall filter for IP version 4.
family-nameVersion or type of addressing protocol:
bridgeFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.
ethernet-switchingFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.
inetFilter IPv4 packets.

Related Topics
1328
family

filter
Syntax
Hierarchy Level
Release Information
Description
Options
interface-specific;
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
[edit firewall family family-name]

Option interface-specific introduced in JUNOS Release 9.5 for EX Series switches.
Configure firewall filters.
filter-nameName that identifies the filter. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
Related Topics

filter
1329
filter
Syntax
Hierarchy Level
Release Information
Description


Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.
Default
All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options
filter-name Name of a firewall filter defined in the filter statement.

Related Topics
inputApply a firewall filter to traffic entering the port or Layer 3 interface.
outputApply a firewall filter to traffic exiting the Layer 3 interface.


1330
filter
filter-specific
Syntax
Hierarchy Level
Release Information
Description
Related Topics
filter-specific;

Configure a policer to act as a filter-specific policer.
interface-controlTo add this statement to the configuration
from
Syntax
Hierarchy Level
Release Information
Description
Options
from {
match-conditions;
}
[edit firewall family family-name filter filter-name term term-name]

Match packet fields to values specified in a match condition. If the from statement
is not included in a firewall filter configuration, all packets are considered to match
and the actions and action modifiers in the then statement are taken.
match-conditions Conditions that define the values or fields that the incoming or
outgoing packets must contain for a match. You can specify one or more match
conditions. If you specify more than one, they all must match for a match to
occur and for the action in the then statement to be taken.
Related Topics

filter-specific
1331
if-exceeding
Syntax
Hierarchy Level
Release Information
Description
if-exceeding {
}

Configure policer rate limits.

Related Topics

interface-specific
Syntax
Hierarchy Level
Release Information
Description
Related Topics
1332
if-exceeding
interface-specific;

Configure interface-specific names for firewall counters.
policer
Syntax
Hierarchy Level
Release Information
filter-specific;
if-exceeding {
}
then {
policer-action;
}
}
[edit firewall]
Description
Configure policer rate limits and actions. To activate a policer, you must include the
policer action modifier in the then statement in a firewall filter term. Each policer
that you configure includes an implicit counter. To ensure term-specific packet counts,
you configure a policer for each term in the filter that requires policing.
Options
policer-nameName that identifies the policer. The name can contain letters, numbers,
hyphens (-), and can be up to 64 characters long.

Related Topics

policer
1333
term
Syntax
Hierarchy Level
Release Information
Description
Options
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}

Define a firewall filter term.
term-name Name that identifies the term. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
Related Topics
1334
term

then
Syntax
Hierarchy Level
Release Information
Description
Options
then {
action;
action-modifiers;
}
[edit firewall family family-name filter filter-name term term-name]

Configure a filter action.
actionActions to accept, discard, or forward packets that match all match conditions
specified in a filter term.

action-modifiersAdditional actions to analyze, classify, count, or police packets that
match all conditions specified in a filter term.

Related Topics


then
1335
then
Syntax
Hierarchy Level
Release Information
Description
Options
then {
policer-action;
}

Configure a policer action.
policer-action Allowed policer action is discard, which discards traffic that exceeds
the rate limits defined by the policer.

Related Topics
1336
then

firewall -controlTo add this statement to the configuration.
Chapter 68
Operational Mode Commands for Firewall

Filters
1337
clear firewall
Syntax
Release Information
Description
Options
clear firewall
<all>
<counter counter-name>
<filter filter-name>

Clear statistics about configured firewall filters.
noneClear the packet and byte counts for all firewall filter counters and clear the
packet counts for all policer counters.

all(Optional) Clear the packet and byte counts for all firewall filter counters and
clear the packet counts for all policer counters.

counter counter-name (Optional) Clear the packet and byte counts for the specified
firewall filter counter.

filter filter-name (Optional) Clear the packet and byte counts for the specified firewall
filter.
Related Topics
clear firewall (all)

clear firewall (counter
counter-name)
clear firewall (filter
filter-name)
1338
clear firewall
clear
user@host> clear firewall all

user@host> clear firewall counter port-filter-counter
user@host> clear firewall filter ingress-port-filter
Chapter 68: Operational Mode Commands for Firewall Filters
show firewall
Syntax
Release Information
Description
Options
show firewall
<counter counter-name>
<filter filter-name>
log (detail | interface interface-name)
terse

Display statistics about configured firewall filters.
noneDisplay statistics about all configured firewall filters, counters, and policers.
counter counter-name(Optional) Display statistics about a particular firewall filter
counter.
filter filter-name(Optional) Display statistics about a particular firewall filter.
log (detail | interface interface-name)(Optional) Display detailed log entries of firewall
activity or log information about a specific interface.
Should we make show firewall log a separate topic?

terse(Optional) Display firewall filter names only.
Related Topics
Output Fields
view
show
show
show
show
firewall
firewall
firewall
firewall
on page 1340
(filter filter-name) on page 1340
(counter counter-name) on page 1340
log on page 1340
Table 49 on page 322 lists the output fields for the show firewall command. Output
Table 169: show firewall Output Fields

Field Name
Field Description
Level of Output
Filter
Name of the filter that is configured with the filter statement at the [edit firewall]
hierarchy level.
All levels
show firewall
1339
Table 169: show firewall Output Fields (continued)

Field Name
Field Description
Level of Output
Counters
Display filter counter information:
All levels
NameName of a filter counter that has been configured with the counter
firewall filter action
BytesNumber of bytes that match the filter term where the counter
action was specified.
PacketsNumber of packets that matched the filter term where the

counter action was specified.
Display policer information:
Policers
NameName of policer.
PacketsNumber of packets that matched the filter term where the policer
action was specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show firewall
show firewall (filter

filter-name)
show firewall (counter

counter-name)
show firewall log
user@host> show firewall

Filter: egress-vlan-filter
Counters:
Name
employee-web-counter
Counters:
Name
ingress-port-counter
Filter: ingress-port-voip-class-filter
Counters:
Name
icmp-counter
Policers:
Name
show firewall
Packets
0
Bytes
0
Packets
0
Bytes
0
Packets
0
Packets
0
0
Bytes
0
Packets
0
user@host> show firewall counter icmp-counter

Filter: ingress-port-voip-class-filter
Counters:
Name
icmp-counter
Bytes
0
Packets
0
user@host> show firewall log

Log :
Filter
Action Interface
Dest Addr
08:00:53 pfe
R
ge-1/0/1.0
192.168.3.4
Bytes
0
user@host> show firewall filter egress-vlan-filter

Counters:
Name
employee-web-counter
Time
1340
All levels
Protocol
Src Addr
ICMP
192.168.3.5
08:00:52
08:00:51
08:00:50
08:00:49
08:00:48
08:00:47
pfe
R
192.168.3.4
pfe
R
192.168.3.4
pfe
R
192.168.3.4
pfe
R
192.168.3.4
pfe
R
192.168.3.4
pfe
R
192.168.3.4
ge-1/0/1.0
ICMP
192.168.3.5
ge-1/0/1.0
ICMP
192.168.3.5
ge-1/0/1.0
ICMP
192.168.3.5
ge-1/0/1.0
ICMP
192.168.3.5
ge-1/0/1.0
ICMP
192.168.3.5
ge-1/0/1.0
ICMP
192.168.3.5
show firewall
1341
show interfaces filters

Syntax
Release Information
Description
Options

<interface-name>

Display firewall filters that are configured on each interface in a system.
noneDisplay firewall filter information about all interfaces.
interface-name(Optional) Display firewall filter information about a particular
interface: ge-fpc/pic/port.

Related Topics

Output Fields
view
show interfaces policers
show firewall
show interfaces filters on page 1342

show interfaces filters <interface-name> on page 1343
Table 49 on page 322 lists the output fields for the show interfaces filters command.
Table 170: show interfaces filters Output Fields

Field Name
Field Description
Level of Output
Interface
All levels
Admin
Interface state: up or down.
All levels
Link
Link state: up or down.
All levels
Proto
Protocol that is configured on the interface.
All levels
Input Filter
Name of the firewall filter to be evaluated when packers are received on the
interface.
All levels
Output Filter
Name of the firewall filter to be evaluated when packets are transmitted on

the interface.
All levels
1342
user@host> show interfaces filters

Interface
ge-0/0/0
up
down
ge-0/0/0.0
up
down eth-switch unknown
ge-0/0/1
up
down
ge-0/0/1.0
up
ge-0/0/2
up
down
ge-0/0/3
up
down
Output Filter
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0

<interface-name>
up
up
up
up
up
up
up
up
down
down
down
down
down
down
down
down
user@host> show interfaces filters ge-0/0/0

Interface
ge-0/0/0
up
down
ge-0/0/0.0
up
Output Filter
1343

Syntax
Release Information
Description
Options

<interface-name>
Command introduced before JUNOS Release 9.0 for EX Series switches.

Display all policers that are configured on each interface in a system.
noneDisplay policer information about all interfaces.
interface-name(Optional) display firewall filters information about a particular
interface.
Related Topics
Output Fields
view
show policer
show interfaces policers on page 1344

show interfaces policers on page 1345
show interfaces policers ( interface-name) on page 1345
Table 49 on page 322 lists the output fields for the show interfaces policers command.
Table 171: show interfaces policers Output Fields

Field Name
Field Description
Level of Output
Interface
All levels
Admin
Interface state: up or down.
All levels
Link
Link state: up or down.
All levels
Proto
Protocol configured on the interface.
All levels
Input Policer
Policer to be evaluated when packets are received on the interface. It has the
format interface-name-in-policer.
All levels
Output Policer
Policer to be evaluated when packets are transmitted on the interface. It has

the format interface-name-out-policer.
All levels
user@host> show interfaces policers

Interface
Admin Link Proto Input Policer
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch
Interface
1344
Output Policer
Output Policer
ge-0/0/1
ge-0/0/1.0
up
up
down
down
Interface
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0
Admin
up
up
up
up
up
up
up
up
up
up
eth-switch
Link Proto Input Policer
down
down
down
down
down
down
down
down
down
down
eth-switch
user@host> show interfaces policers

Interface
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch
Interface
ge-0/0/1
ge-0/0/1.0
Interface
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0

( interface-name)

up
down
up
down
eth-switch
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
eth-switch
user@host> show interfaces policers ge-0/0/1

Interface
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch
Output Policer
Output Policer
Output Policer
Output Policer
Output Policer
1345
show policer
Syntax
Release Information
Description
Options
show policer
<policer-name>

Display statistics about configured policers.
noneDisplay the count of policed packets for all configured policers in the system.
policer-name (Optional) Display the count of policed packets for the specified policer.

Related Topics

Output Fields
view
show policer on page 1346

show policer (policer-name) on page 1347
Table 49 on page 322 lists the output fields for the show policer command. Output
Table 172: show policer Output Fields

Field Name
Field Description
Level of Output
Filter
Name of filter that is configured with the filter statement at the [edit firewall]
hierarchy level.
All levels
Policers
Display policer information:
All levels
FilterName of filter that specifies the policer action.
NameName of policer.
PacketsNumber of packets that matched the filter term where the policer
action is specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show policer
1346
show policer
user@host> show policer

Policers:
Name
Packets
0
show policer
(policer-name)
user@host> show policer tcp-connection-policer

Policers:
Name
Packets
0
show policer
1347
1348
show policer
Part 14
CoS
Understanding CoS on page 1351
Examples of Configuring CoS on page 1373
Configuring CoS on page 1391
Verifying CoS on page 1411
Configuration Statements for CoS on page 1419
Operational Mode Commands for CoS on page 1447
CoS
1349
1350
CoS
Chapter 69
Understanding CoS
Understanding JUNOS CoS Components for EX Series Switches on page 1353
Understanding CoS Code-Point Aliases on page 1356
Understanding CoS Forwarding Classes on page 1361
Understanding CoS Tail Drop Profiles on page 1364
Understanding CoS Schedulers on page 1364
Understanding CoS Two-Color Marking on page 1367
Understanding CoS Rewrite Rules on page 1368
Understanding Port Shaping and Queue Shaping for CoS on EX Series

Understanding JUNOS EZQoS for CoS Configurations on EX Series

1351
JUNOS CoS for EX Series Switches Overview

When a network experiences congestion and delay, some packets must be dropped.
JUNOS class of service (CoS) divides traffic into classes to which you can apply
different levels of throughput and packet loss when congestion occurs. This allows
packet loss to happen according to rules that you configure. CoS also allows you to
rewrite the Differentiated Service Code Point (DSCP), IP precedence, or 802.1p CoS
bits of packets egressing out of a specific interface, thus allowing you to tailor packets
for the remote peers network requirements.
CoS provides multiple classes of service for different applications. You can configure
multiple forwarding classes for transmitting packets, define which packets are placed
into each output queue, and schedule the transmission service level for each queue.
In designing CoS applications, you must give careful consideration to your service
needs, and you must thoroughly plan and design your CoS configuration to ensure
consistency and interoperability across all platforms in a CoS domain.
Because Juniper Networks EX Series Ethernet Switches implement CoS in hardware
rather than in software, you can experiment with and deploy CoS features without
affecting packet forwarding and switching performance.
NOTE: CoS policies can be enabled or disabled on each interface of an EX Series

switch. Also, each physical and logical interface on the switch can have custom CoS
rules associated with it.
How JUNOS CoS Works on page 1352
Default CoS Behavior on EX Series Switches on page 1353
How JUNOS CoS Works

JUNOS CoS works by examining traffic entering at the edge of your network. The
access switches classify traffic into defined service groups, to provide the special
treatment of traffic across the network. For example, voice traffic can be sent across
certain links, and data traffic can use other links. In addition, the data traffic streams
can be serviced differently along the network path to ensure that higher-paying
customers receive better service. As the traffic leaves the network at the far edge,
you can rewrite the traffic to meet the policies of the targeted peer.
To support CoS, you must configure each switch in the network. Generally, each
switch examines the packets that enter it to determine their CoS settings. These
settings then dictate which packets are transmitted first to the next downstream
switch. Switches at the edges of the network might be required to alter the CoS
settings of the packets that enter the network to classify the packets into the
appropriate service groups.
Figure 76 on page 1353 represents the network scenario of an enterprise. Switch A is
receiving traffic from various network nodes such as desktop computers, servers,
surveillance cameras, and VoIP telephones. As each packet enters, Switch A examines
1352
JUNOS CoS for EX Series Switches Overview
Chapter 69: Understanding CoS
the packets CoS settings and classifies the traffic into one of the groupings defined
by the enterprise. This definition allows Switch A to prioritize resources for servicing
the traffic streams it receives. Switch A might alter the CoS settings of the packets
to better match the enterprises traffic groups.
When Switch B receives the packets, it examines the CoS settings, determines the
appropriate traffic groups, and processes the packets according to those settings. It
then transmits the packets to Switch C, which performs the same actions. Switch D
also examines the packets and determines the appropriate groups. Because Switch
D sits at the far end of the network, it can rewrite the CoS bits of the packets before
transmitting them.
Figure 76: Packet Flow Across the Network
Default CoS Behavior on EX Series Switches

If you do not configure any CoS settings on your switch, the software performs some
CoS functions to ensure that user traffic and protocol packets are forwarded with
minimum delay when the network is experiencing congestion. Some CoS settings,
such as classifiers are automatically applied to each logical interface that you
configure. Other settings, such as, rewrite rules, are applied only if you explicitly
associate them with an interface.
Related Topics
Understanding JUNOS EZQoS for CoS Configurations on EX Series Switches on

page 1370
Understanding JUNOS CoS Components for EX Series Switches

This topic describes the JUNOS CoS components for Juniper Networks EX Series
Ethernet Switches:
Code-Point Aliases on page 1354
Policers on page 1354
Classifiers on page 1354
Forwarding Classes on page 1354
1353
Tail Drop Profiles on page 1355
Schedulers on page 1355
Rewrite Rules on page 1355
Code-Point Aliases
A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Policers
Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets
exceeding the policer limits can be discarded. You define policers with filters that
can be associated with input interfaces.
For more information about policers, see Understanding the Use of Policers in
Firewall Filters on page 1274.
NOTE: You can configure policers to discard packets that exceed the rate limits. If
you want to configure CoS parameters such as loss-priority and forwarding-class, you
must use firewall filters.
Classifiers
Packet classification associates incoming packets with a particular CoS servicing
level. In Juniper Networks JUNOS Software, classifiers associate packets with a
forwarding class and loss priority and assign packets to output queues based on the
associated forwarding class. JUNOS Software supports two general types of classifiers:
Behavior aggregate or CoS value traffic classifiersExamines the CoS value in

the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, and IEEE 802.1p value.
Multifield traffic classifiersExamines multiple fields in the packet such as source

and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.
Forwarding Classes
Forwarding classes group the packets for transmission. Based on forwarding classes,
you assign packets to output queues. Forwarding classes affect the forwarding,
scheduling, and marking policies applied to packets as they transit a switch. By
default, four categories of forwarding classes are defined: best effort, assured
forwarding, expedited forwarding, and network control. For EX Series switches, 16
forwarding classes are supported, providing granular classification capability.
1354
Tail Drop Profiles

Drop profile is a mechanism that defines parameters that allow packets to be dropped
from the network. Drop profiles define the meanings of the loss priorities. When you
configure drop profiles you are essentially setting the value for queue fullness. The
queue fullness represents a percentage of the queue used to store packets in relation
to the total amount that has been allocated for that specific queue.
Loss priorities set the priority of dropping a packet. Loss priority affects the scheduling
of a packet without affecting the packets relative ordering. You can use the loss
priority setting to identify packets that have experienced congestion. Typically you
mark packets exceeding some service level with a high loss priority.
Schedulers
Each switch interface has multiple queues assigned to store packets. The switch
determines which queue to service based on a particular method of scheduling. This
process often involves determining which type of packet should be transmitted before
another. You can define the priority, bandwidth, delay buffer size, and tail drop
profiles to be applied to a particular queue for packet transmission.
A scheduler map associates a specified forwarding class with a scheduler
configuration. You can associate up to four user-defined scheduler maps with the
interfaces.
Rewrite Rules
A rewrite rule sets the appropriate CoS bits in the outgoing packet, thus allowing the
next downstream device to classify the packet into the appropriate service group.
Rewriting, or marking, outbound packets is useful when the switch is at the border
of a network and must alter the CoS values to meet the policies of the targeted peer.
NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not
applied when the packets are forwarded.
Egress firewall filters can also assign forwarding class and loss priority so that the
packets are rewritten based on forwarding class and loss priority.
Related Topics
Understanding CoS Two-Color Marking on page 1367
1355
Understanding CoS Code-Point Aliases

A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Behavior aggregate classifiers use class-of-service (CoS) values such as Differentiated
Services code points (DSCPs), IP precedence, and IEEE 802.1 bits to associate
incoming packets with a particular CoS servicing level. On a switch, you can assign
a meaningful name or alias to the CoS values and use this alias instead of bits when
configuring CoS components. These aliases are not part of the specifications but are
well known through usage. For example, the alias for DSCP 101110 is widely accepted
as ef (expedited forwarding).
When you configure classes and define classifiers, you can refer to the markers by
alias names. You can configure user-defined classifiers in terms of alias names. If
the value of an alias changes, it alters the behavior of any classifier that references
it.
You can configure code-point aliases for the following type of CoS markers :
dscpHandles incoming IPv4 packets.
ieee-802.1Handles Layer 2 CoS.
inet-precedenceHandles incoming IPv4 packets. IP precedence mapping

requires only the upper three bits of the DSCP field.
This topic covers:
Default Code-Point Aliases on page 1356
Default Code-Point Aliases

Table 173 on page 1356 shows the default mappings between the bit values and
standard aliases.
Table 173: Default Code-Point Aliases
CoS Value Types
Mapping
DSCP CoS Values

ef
101110
af11
001010
af12
001100
1356
Table 173: Default Code-Point Aliases (continued)

CoS Value Types
Mapping
af13
001110
af21
010010
af22
010100
af23
010110
af31
011010
af32
011100
af33
011110
af41
100010
af42
100100
af43
100110
be
000000
cs1
001000
cs2
010000
cs3
011000
cs4
100000
cs5
101000
nc1/cs6
110000
nc2/cs7
111000
IEEE 802.1p CoS Values

be
000
be1
001
ef
010
ef1
011
af11
100
af12
101
nc1/cs6
110
nc2/cs7
111
1357
Table 173: Default Code-Point Aliases (continued)

CoS Value Types
Mapping
Legacy IP Precedence CoS Values

be
000
be1
001
ef
010
ef1
011
af11
100
af12
101
nc1/cs6
110
nc2/cs7
111
Related Topics
1358
Defining CoS Code-Point Aliases (CLI Procedure) on page 1394
Defining CoS Code-Point Aliases (J-Web Procedure) on page 1392
Understanding CoS Classifiers

Packet classification associates incoming packets with a particular class-of-service
(CoS) servicing level. Classifiers associate packets with a forwarding class and loss
priority and assign packets to output queues based on the associated forwarding
class. There are two general types of classifiers:
Behavior aggregate (BA) classifiers
Multifield (MF) classifiers
For a specified interface, you can configure both an MF classifier and a BA classifier
without conflicts. In such cases, BA classification is performed first, followed by MF
classification. If the two classification results conflict, the MF classification result
overrides the BA classification result.
NOTE: When a source MAC address is learned, the frame that contains the source
MAC address is always sent out on queue 0 while egressing from the network
interface, irrespective of the classifier applied to the ingress interface.
On Juniper Networks EX8200 Ethernet Switches, you can specify BA classifiers for
bridged multidestination traffic and IP multidestination traffic. The BA classifier for
multicast packets is applied to all interfaces on the EX8200 switch.
Behavior Aggregate Classifiers on page 1359
Multifield Classifiers on page 1360
Behavior Aggregate Classifiers

The behavior aggregate classifier maps a class-of-service (CoS) value to a forwarding
class and loss priority. The forwarding class determines the output queue. The loss
priority is used by a scheduler to control packet discard during periods of congestion.
There are three types of BA classifiers:
Differentiated Services Code Point (DSCP) for IP DiffServ
IP precedence bits
IEEE 802.1p CoS bits
BA classifiers are based on fixed-length fields, which makes them computationally

more efficient than MF classifiers. Therefore core devices, which handle high traffic
volumes, are normally configured to perform BA classification.
Default Behavior Aggregate Classification

Juniper Networks JUNOS Software automatically assigns implicit default classifiers
to all logical interfaces based on the type of interface. Table 174 on page 1360 lists
different types of interfaces and the corresponding implicit default classifiers.
1359
Table 174: Default BA Classification

Type of Interface
Default BA Classification
Trunk interface
ieee8021p-default
Layer 3 interface
dscp-default
Access interface
Untrusted
Routed VLAN interface (RVI)
No default classification
When you explicitly associate a classifier with a logical interface, you are in effect
overriding the implicit default classifier with an explicit classifier.
You can configure routed VLAN interfaces (RVIs) to classify packets. After you do so
the User Priority (UP) bits in the incoming packets are rewritten according to the
default IEEE 802.1p rewrite rule.
NOTE: By default, all BA classifiers classify traffic into either the best-effort forwarding
class or the network-control forwarding class.
NOTE: On EX8200 switches, only one classifier of a single type DSCP or IEEE 802.1p
can be applied to an interface.
Multifield Classifiers
Multifield classifiers examine multiple fields in a packet such as source and destination
addresses and source and destination port numbers of the packet. With MF classifiers,
you set the forwarding class and loss priority of a packet based on firewall filter rules.
MF classification is normally performed at the network edge because of the general
lack of DiffServ code point (DSCP) or IP precedence support in end-user applications.
On an edge switch, an MF classifier provides the filtering functionality that scans
through a variety of packet fields to determine the forwarding class for a packet.
Typically, a classifier performs matching operations on the selected fields against a
configured value.
Related Topics
1360
Understanding CoS Forwarding Classes

It is helpful to think of forwarding classes as output queues. In effect, the end result
of classification is the identification of an output queue for a particular packet. For
a classifier to assign an output queue to each packet, it must associate the packet
with one of the following forwarding classes:
expedited-forwarding (ef)Provides a low loss, low latency, low jitter, assured

bandwidth, end-to-end service.
assured-forwarding (af)Provides a group of values you can define and includes

four subclasses: AF1, AF2, AF3, and AF4, each with two drop probabilities: low
and high.
best-effort (be)Provides no service profile. Loss priority is typically not carried

in a class-of-service (CoS) value.
network-control (nc)Supports protocol control and thus is typically high priority.
multicast best-effort (mcast-be)Used for high-priority multicast packets.
multicast assured-forwarding (mcast-af)Provides two drop profiles, high and

low, for multicast packets.
multicast best-effort (mcast-be)Provides no service profile for multicast packets.
NOTE: The forwarding classes multicast expedited-forwarding, multicast

assured-forwarding, and multicast best-effort are applicable only to Juniper Networks
EX8200 Ethernet Switches.
Juniper Networks EX Series Ethernet Switches support up to 16 forwarding classes,
thus allowing granular packet classification. For example, you can configure multiple
classes of EF traffic such as EF, EF1, and EF2.
EX Series switches support up to eight output queues. Therefore, if you configure
more than eight forwarding classes, you must map multiple forwarding classes to
single output queues.
Default Forwarding Classes on page 1361
Default Forwarding Classes

Table 175 on page 1362 shows the four default forwarding classes defined for unicast
traffic, and Table 176 on page 1362 shows the three default forwarding classes defined
for multicast traffic.
NOTE: The default forwarding classes for multicast traffic are applicable only to
EX8200 switches.
1361
If desired, you can rename the forwarding classes associated with the queues
supported on your switch. Assigning a new class name to an output queue does not
alter the default classification or scheduling that is applicable to that queue. CoS
configurations can be quite complicated, so unless it is required by your scenario,
we recommend that you not alter the default class names or queue number
associations.
Table 175: Default Forwarding Classes for Unicast Packets
Forwarding Class Name
Comments
best-effort (be)
The software does not apply any special CoS handling to packets with 000000 in
the DiffServ field. This is a backward compatibility feature. These packets are usually
dropped under congested network conditions.
expedited-forwarding (ef)
The software delivers assured bandwidth, low loss, low delay, and low delay variation
(jitter) end-to-end for packets in this service class. The software accepts excess traffic
in this class, but in contrast to the assured forwarding class, the out-of-profile
expedited-forwarding class packets can be forwarded out of sequence or dropped.
assured-forwarding (af)
The software offers a high level of assurance that the packets are delivered as long
as the packet flow from the customer stays within a certain service profile that you
define.
The software accepts excess traffic, but it applies a tail drop profile to determine if
the excess packets are dropped and not forwarded.
Up to two drop probabilities (low and high) are defined for this service class.
network-control (nc)
The software delivers packets in this service class with a high priority. (These packets
are not delay-sensitive.)
Typically, these packets represent routing protocol hello or keep alive messages.
Because loss of these packets jeopardizes proper network operation, packet delay
is preferable to packet discard.
Table 176: Default Forwarding Classes for Multicast Packets

Comments
multicast best-effort (mcast-be)
The software does not apply any special CoS handling to the multicast packets. These
packets are usually dropped under congested network conditions.
multicast expedited-forwarding
(mcast-ef)
The software delivers assured bandwidth, low loss, low delay, and low delay variation
(jitter) end-to-end for multicast packets in this service class. The software accepts
excess traffic in this class, but in contrast to the multicast assured forwarding class,
out-of-profile multicast expedited-forwarding class packets can be forwarded out of
sequence or dropped.
1362
Table 176: Default Forwarding Classes for Multicast Packets (continued)

Comments
multicast assured-forwarding (mcast-af)
The software offers a high level of assurance that the multicast packets are delivered
as long as the packet flow from the customer stays within a certain service profile
that you define.
The software accepts excess traffic, but it applies a tail drop profile to determine if
the excess packets are dropped and not forwarded.
Up to two drop probabilities (low and high) are defined for this service class.
The following rules govern queue assignment:
Related Topics
CoS configurations that specify more queues than the switch can support are
not accepted. The commit fails with a detailed message that states the total
number of queues available.
All default CoS configurations are based on queue number. The name of the
forwarding class that shows up when the default configuration is displayed is
the forwarding class currently associated with that queue.
1363
Understanding CoS Tail Drop Profiles

Tail drop profile is a congestion management mechanism that allows switch to drop
arriving packets when queue buffers become full or begin to overflow.
Tail drop profiles define the meanings of the loss priorities. When you configure tail
drop profiles you are essentially setting the value for queue fullness. The queue
fullness represents a percentage of the memory used to store packets in relation to
the total amount that has been allocated for that specific queue.
The queue fullness defines the delay-buffer bandwidth, which provides packet buffer
space to absorb burst traffic up to the specified duration of delay. Once the specified
delay buffer becomes full, packets with 100 percent drop probability are dropped
from the tail of the buffer.
On Juniper Networks EX Series Ethernet Switches, drop probability is implicitly set
to 100 percent and it cannot be modified.
You specify drop probabilities in the drop profile section of the CoS configuration
hierarchy and reference them in each scheduler configuration.
By default, if you do not configure any drop profile, tail drop profile is in effect and
functions as the primary mechanism for managing congestion. In the default tail
drop profile, when the fill level is 0 percent, the drop probability is 0 percent. When
the fill level is 100 percent, the drop probability is 100 percent.
NOTE: The default drop profile associated with the packets whose loss priority is low
cannot be modified. You can configure custom drop profile only for those packets
whose loss priority is high.
Related Topics
Understanding CoS Schedulers

You use schedulers to define the properties of output queues. These properties include
the amount of interface bandwidth assigned to the queue, the size of the memory
buffer allocated for storing packets, the priority of the queue, and the drop profiles
associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues, packet schedulers, and tail drop processes that operate according to this
mapping.
1364
Default Schedulers on page 1365
Transmission Rate on page 1365
Understanding CoS Tail Drop Profiles
Scheduler Buffer Size on page 1366
Priority Scheduling on page 1366
Scheduler Drop-Profile Maps on page 1367
Scheduler Maps on page 1367
Default Schedulers
Each forwarding class has an associated scheduler priority. Only two forwarding
classes, best-effort (queue0) and network-control (queue7) are used in the default
configuration.
NOTE: On Juniper Networks EX8200 Ethernet Switches three forwarding

classesbest-effort (queue0), multicast best-effort (queue2), and network-control
(queue7)are used in the default configuration.
By default, the best-effort forwarding class (queue 0) receives 95 percent of the
bandwidth and buffer space for the output link, and the network-control forwarding
class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill
completely and then to discard all incoming packets until it has free space.
NOTE: On EX8200 switches, by default, the best-effort forwarding class (queue 0)

receives 75 percent of the bandwidth, the multicast best-effort forwarding class
(queue 2) receives 20 percent of the bandwidth and buffer space for the output link,
and the network-control forwarding class (queue 7) receives 5 percent.
The expedited-forwarding and assured-forwarding classes have no scheduler because
no resources are assigned to queue 5 and queue 1, by default. However, you can
manually configure resources for the expedited-forwarding and assured-forwarding
classes.
Also by default, each queue can exceed the assigned bandwidth if additional
bandwidth is available from other queues. When a forwarding class does not fully
use the allocated transmission bandwidth, the remaining bandwidth can be used by
other forwarding classes if they receive a larger amount of offered load than their
allocated bandwidth allows.
Transmission Rate
The transmission-rate control determines the actual traffic bandwidth from each
forwarding class you configure. The rate is specified in bits per second. Each queue
is allocated some portion of the bandwidth of the outgoing interface.
This bandwidth amount can be a fixed value, such as 1 megabit per second (Mbps),
a percentage of the total available bandwidth, or the rest of the available bandwidth.
You can allow transmission bandwidth to exceed the configured rate if additional
bandwidth is available from other queues. In case of congestion, configured amount
1365
of transmission rate is guaranteed for the queue. This property allows you to ensure
that each queue receives the amount of bandwidth appropriate to its level of service.
Scheduler Buffer Size

To control congestion at the output stage, you can configure the delay-buffer
bandwidth. The delay-buffer bandwidth provides packet buffer space to absorb burst
traffic up to the specified duration of delay. Once the specified delay buffer becomes
full, packets with 100 percent drop probability are dropped from the tail of the buffer.
The default scheduler transmission rate for queues 0 through 7 are 95, 0, 0, 0, 0, 0,
0, and 5 percent of the total available bandwidth. The default buffer-size percentages
for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent of the total available
buffer.
NOTE: On EX8200 switches, the default scheduler transmission rates for queues 0
through 7 are 75, 0, 20, 0, 0, 0, 0, and 5 percent of the total available bandwidth.
The default buffer-size percentages for queues 0 through 7 are 75, 0, 20, 0, 0, 0, 0,
and 5 percent of the total available buffer.
For each scheduler, you can configure the buffer size as one of the following:
A percentage of the total buffer.
The remaining buffer available. The remainder is the buffer percentage that is
not assigned to other queues. For example, if you assign 40 percent of the delay
buffer to queue 0, allow queue 2 to keep the default allotment of 20 percent,
allow queue 7 to keep the default allotment of 5 percent, and assign the remainder
to queue 3, then queue 3 uses approximately 35 percent of the delay buffer.
Priority Scheduling
Priority scheduling determines the order in which an output interface transmits traffic
from the queues, thus ensuring that queues containing important traffic are provided
better access to the outgoing interface.
Priority scheduling is accomplished through a procedure in which the scheduler
examines the priority of the queue. Juniper Networks JUNOS Software supports two
levels of transmission priority:
LowThe scheduler determines if the individual queue is within its defined

bandwidth profile. This binary decision, which is reevaluated on a regular time
cycle, compares the amount of data transmitted by the queue against the amount
of bandwidth allocated to it by the scheduler. When the transmitted amount is
less than the allocated amount, the queue is considered to be in profile. A queue
is out of profile when its transmitted amount is larger than its allocated amount.
Out of profile queue will be transmitted only if bandwidth is available. Otherwise,
it will be buffered.
A queue from the set is selected based on the shaped deficit weighted round
robin (SDWRR) algorithm, which operates within the set.
1366
Strict-highStrict-high priority queue receives preferential treatment over low

priority queue. Unlimited bandwidth is assigned to strict-high priority queue.
Queues are scheduled according to the queue number, starting with the highest
queue 7, with decreasing priority down through queue 0. Traffic in higher queue
numbers is always scheduled prior to traffic in lower queue numbers. In other
words, in case of two high priority queues, the queue with higher queue number
is processed first.
Packets in low priority queues are transmitted only when strict-high priority queues
are empty.
Scheduler Drop-Profile Maps

Drop-profile maps associate drop profiles with a scheduler. Drop-profile map sets
the drop profile for a specific packet loss priority (PLP) and protocol type. The inputs
for the drop-profile map are the PLP and the protocol type. The output is the drop
profile.
Scheduler Maps
A scheduler map associates a specified forwarding class with a scheduler
configuration. After configuring a scheduler, you must include it in a scheduler map
and then associate the scheduler map with an output interface.
Juniper Networks EX Series Ethernet Switches allow you to associate up to four
user-defined scheduler maps with interfaces.
Related Topics
Defining CoS Schedulers (CLI Procedure) on page 1400
Defining CoS Schedulers (J-Web Procedure) on page 1401
Understanding CoS Two-Color Marking

Networks police traffic by limiting the input or output transmission rate of a class of
traffic on the basis of user-defined criteria. Policing traffic allows you to control the
maximum rate of traffic sent or received on an interface and to partition a network
into multiple priority levels or classes of service.
Policers require you to apply limits to the traffic flow and set a consequence for
packets that exceed these limitsusually a higher loss priority, so that packets
exceeding the policer limits are discarded first.
Juniper Networks EX Series Ethernet Switches support a single-rate two-color marking
type of policer, which is a simplified version of Single-Rate-Three-Color marking,
defined in RFC 2697, A Single Rate Three Color Marker. This type of policer meters
traffic based on the configured committed information rate (CIR) and committed
burst size (CBS).
Understanding CoS Two-Color Marking
1367
The single-rate two-color marker meters traffic and marks incoming packets
depending on whether they are smaller than the committed burst size (CBS)marked
greenor exceed it marked red.
The single-rate two-color marking policer operates in color-blind mode. In this mode,
the policer's actions are not affected by any previous marking or metering of the
examined packets. In other words, the policer is blind? to any previous coloring a
packet might have had.
Related Topics
Understanding CoS Rewrite Rules

As packets enter or exit a network, edge switches might be required to alter the
class-of-service (CoS) settings of the packets. Rewrite rules set the value of the CoS
bits within the packets header. Each rewrite rule reads the current forwarding class
and loss priority associated with the packet, locates the chosen CoS value from a
table, and writes this CoS value into the packet header. Rewrite rules must be assigned
to an interface for rewrites to be activated. Only tagged Layer 3 interfaces and tagged
routed VLAN interfaces (RVIs) rewrite packets by using the default IEEE 802.1p
rewrite rule. Multiple rewrite rules of different types can be applied to a single
interface.
NOTE: On the Juniper Networks EX8200 Ethernet Switches , rewrite rules can be
bound to only Layer 3 interfaces and RVIs. Rewrites on these interfaces are not a
default behavior, and only one rewrite rule of each type can be bound to any interface
in the system
In effect, the rewrite rule performs the opposite function of the behavior aggregate
(BA) classifier used when the packet enters the switch. As the packet leaves the
switch, the final CoS action is generally the application of a rewrite rule.
You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of an edge switch to meet the policies of a targeted peer. This allows the
downstream switch in a neighboring network to classify each packet into the
appropriate service group.
NOTE: When an IP precedence rewrite rule is active, bits 3,4, and 5 of the ToS byte
are always reset to zero when code points are rewritten.
1368
Default Rewrite Rule on page 1369
Default Rewrite Rule

If you want to enable a rewrite rule on an interface, you can either create your own
rule and enable it on the interface or enable a default rewrite rule. See Defining CoS
Rewrite Rules (CLI Procedure) on page 1404.
Table 177 on page 1369 shows the default rewrite-rule mappings. These are based on
the default bit definitions of Differentiated Services code point (DSCP), IEEE 802.1p,
and IP precedence values and the default forwarding classes.
When the CoS values of a packet match the forwarding-class and packet-loss-priority
(PLP) values, the switch rewrites markings on the packet based on the rewrite table.
Table 177: Default Packet Header Rewrite Mappings
Map from Forwarding Class
PLP Value
Map to DSCP/IEEE 802.1p/IP Precedence

value
low
ef
high
ef
assured-forwarding
low
af11
assured-forwarding
high
af12 (DSCP)
best-effort
low
be
best-effort
high
be
network-control
low
nc1/cs6
network-control
high
nc2/cs7
Related Topics
Defining CoS Rewrite Rules (CLI Procedure) on page 1404
Defining CoS Rewrite Rules (J-Web Procedure) on page 1405
1369
Understanding Port Shaping and Queue Shaping for CoS on EX Series Switches
If the amount of traffic on a switch's network interface is more than the maximum
bandwidth allowed on the interface, it leads to congestion. Port shaping and queue
shaping can be used to manage the excess traffic and avoid congestion. Port shaping
defines the maximum bandwidth allocated to a port, while queue shaping defines a
limit on excess-bandwidth usage per queue.
This topic covers:
Port Shaping on page 1370
Queue Shaping on page 1370
Port Shaping
Port shaping enables you to shape the aggregate traffic through a port or channel to
a rate that is less than the line or port rate.
Queue Shaping
Queue shaping throttles the rate at which queues transmit packets. For example,
using queue shaping, you can rate-limit a strict-priority queue so that the strict-priority
queue does not lock out (or starve) low-priority queues. Similarly, for any queue, you
can configure queue shaping.
Related Topics
Understanding JUNOS EZQoS for CoS Configurations on EX Series Switches

JUNOS EZQoS on Juniper Networks EX Series Ethernet Switches eliminates the
complexities involved in configuring class of service (CoS) across the network. EZQoS
offers templates for key traffic classes.
JUNOS CoS allows you to divide traffic into classes and offer various levels of
throughput and packet loss when congestion occurs. You can use CoS to ensure that
different types of traffic (voice, video, and data) get the bandwidth and consideration
they need to meet user expectations and business objectives.
Configuring CoS requires careful consideration of your service needs and thorough
planning and design to ensure consistency across all switches in a CoS domain. To
configure CoS manually, you must define and fine-tune all CoS components such as
classifiers, rewrite rules, forwarding classes, schedulers, and scheduler-maps and
then apply these components to the interfaces. Therefore, configuring CoS can be a
fairly complex and time-consuming task.
EZQoS works by automatically assigning preconfigured values to all CoS parameters
based on the typical application requirements. These preconfigured values are stored
1370
Understanding Port Shaping and Queue Shaping for CoS on EX Series Switches
in a template with a unique name. You can change the preconfigured values of these
parameters to suit your particular application needs.
For using EZQoS, you must identify which switch ports are being used for a specific
application (such as VoIP, video, and data) and manually apply the corresponding
application-specific EZQoS template to these switch ports.
NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP.
NOTE: We recommend that you do not use the term EZQoS for defining a classifier.
Related Topics
Configuring JUNOS EZQoS for CoS (CLI Procedure) on page 1409
1371
1372
Chapter 70
Example: Configuring CoS on EX Series Switches

Configure class of service (CoS) on your switch to manage traffic so that when the
network experiences congestion and delay, critical applications are protected. Using
CoS, you can divide traffic on your switch into classes and provide various levels of
throughput and packet loss. This is especially important for traffic that is sensitive
to jitter and delay, such as voice traffic.
This example shows how to configure CoS on a single EX Series switch in the network.
Requirements
One Juniper Networks EX3200 switch

This example uses the topology shown in Figure 77 on page 1374.
Example: Configuring CoS on EX Series Switches
1373
Figure 77: Topology for Configuring CoS
The topology for this configuration example consists of one EX Series switch at the
access layer.
The EX Series access switch is configured to support VLAN membership. Switch ports
ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch
port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports
ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the
servers hosting various applications such as those provided by Citrix, Microsoft,
Oracle, and SAP.
Table 178 on page 1375 shows the VLAN configuration components.
1374
Chapter 70: Examples of Configuring CoS
Table 178: Configuration Components: VLANs

VLAN Name
VLAN ID

IP Addresses
VLAN Description
voice-vlan
10
192.168.1.0/32
192.168.1.1 through
192.168.1.11
Voice VLAN used for

employee VoIP
communication.
192.168.1.12 is the subnets
broadcast address.
camera-vlan
20
VLAN for the surveillance

cameras.
192.168.1.13/32
192.168.1.14 through
192.168.1.20
broadcast address.
server-vlan
30
VLAN for the servers hosting

enterprise applications.
192.168.1.22/32
192.168.1.23 through
192.168.1.35
broadcast address.
Ports on the EX Series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports. Table
179 on page 1375 shows the switch interfaces that are assigned to the VLANs and the
IP addresses for devices connected to the switch ports:
Table 179: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Interfaces
VLAN Membership
IP Addresses
Port Devices
ge-0/0/0, ge-0/0/1
voice-vlan
192.168.1.1 through
192.168.1.2
Two VoIP telephones.
ge-0/0/2
camera-vlan
192.168.1.14
Surveillance camera.
ge-0/0/3, ge-0/0/4, ge-0/0/5,

ge-0/0/6
sevrer-vlan
192.168.1.23 through
192.168.1.26
Four servers hosting

applications such as those
provided by Citrix, Microsoft,
Oracle, and SAP.
1375
NOTE: This example shows how to configure CoS on a single EX Series switch. This
example does not consider across-the-network applications of CoS in which you
might implement different configurations on ingress and egress switches to provide
differentiated treatment to different classes across a set of nodes in a network.
Configuration
To quickly configure CoS, copy the following commands and paste them into the
[edit]
set class-of-service forwarding-classes class app queue-num 5
set class-of-service forwarding-classes class mail queue-num 1
set class-of-service forwarding-classes class db queue-num 2
set class-of-service forwarding-classes class erp queue-num 3
set class-of-service forwarding-classes class video queue-num 4
set class-of-service forwarding-classes class best-effort queue-num 0
set class-of-service forwarding-classes class voice queue-num 6
set class-of-service forwarding-classes class network-control queue-num 7
set firewall family ethernet-switching filter voip_class term voip from
set firewall family ethernet-switching filter voip_class term voip from
set firewall family ethernet-switching filter voip_class term voip from protocol
udp
set firewall family ethernet-switching filter voip_class term voip from source-port
2698
set firewall family ethernet-switching filter voip_class term voip then
forwarding-class voice loss-priority low
set firewall family ethernet-switching filter voip_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter voip_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter voip_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/0 description phone1voip-ingress-port
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class
set interfaces ge-0/0/1 description phone2voip-ingress-port
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class
set firewall family ethernet-switching filter video_class term video from
set firewall family ethernet-switching filter video_class term video from protocol
udp
set firewall family ethernet-switching filter video_class term video from
source-port 2979
set firewall family ethernet-switching filter video_class term video then
forwarding-class video loss-priority low
set firewall family ethernet-switching filter video_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter video_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter video_class term best_effort_traffic
set interfaces ge-0/0/2 description video-ingress-port
set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class
1376
set firewall family ethernet-switching filter app_class term app from

set firewall family ethernet-switching filter app_class term app from protocol
tcp
set firewall family ethernet-switching filter app_class term app from source-port
[1494 2512 2513 2598 2897]
set firewall family ethernet-switching filter app_class term app then
forwarding-class app loss-priority low
set firewall family ethernet-switching filter app_class term mail from
set firewall family ethernet-switching filter app_class term mail from protocol
tcp
set firewall family ethernet-switching filter app_class term mail from source-port
[25 143 389 691 993 3268 3269]
set firewall family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low
set firewall family ethernet-switching filter app_class term db from source-address
192.168.1.25/32
set firewall family ethernet-switching filter app_class term db from protocol tcp
set firewall family ethernet-switching filter app_class term db from source-port
[1521 1525 1527 1571 1810 2481]
set firewall family ethernet-switching filter app_class term db then
forwarding-class db loss-priority low
set firewall family ethernet-switching filter app_class term erp from
set firewall family ethernet-switching filter app_class term erp from protocol
tcp
set firewall family ethernet-switching filter app_class term erp from source-port
[3200 3300 3301 3600]
set firewall family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low
set firewall family ethernet-switching filter app_class term network_control from
precedence [net-control internet-control]
set firewall family ethernet-switching filter app_class term network_control then
forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter app_class term best_effort_traffic
set interfaces ge-0/0/3 unit 0 family ethernet-switching filter input app_class
set class-of-service schedulers voice-sched buffer-size percent 10
set class-of-service schedulers voice-sched priority strict-high
set class-of-service schedulers voice-sched transmit-rate percent 10
set class-of-service schedulers video-sched buffer-size percent 15
set class-of-service schedulers video-sched priority low
set class-of-service schedulers video-sched transmit-rate percent 15
set class-of-service schedulers app-sched buffer-size percent 10
set class-of-service schedulers app-sched priority low
set class-of-service schedulers app-sched transmit-rate percent 10
set class-of-service schedulers mail-sched buffer-size percent 5
set class-of-service schedulers mail-sched priority low
set class-of-service schedulers mail-sched transmit-rate percent 5
set class-of-service schedulers db-sched buffer-size percent 10
set class-of-service schedulers db-sched priority low
set class-of-service schedulers db-sched transmit-rate percent 10
set class-of-service schedulers erp-sched buffer-size percent 10
set class-of-service schedulers erp-sched priority low
set class-of-service schedulers erp-sched transmit-rate percent 10
set class-of-service schedulers nc-sched buffer-size percent 5
set class-of-service schedulers nc-sched priority strict-high
Configuration
1377
set class-of-service schedulers nc-sched transmit-rate percent 5

set class-of-service schedulers be-sched buffer-size percent 35
set class-of-service schedulers be-sched priority low
set class-of-service schedulers be-sched transmit-rate percent 35
set class-of-service scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class app scheduler
app-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class db scheduler
db-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class erp scheduler
erp-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class best-effort
scheduler be-sched
set class-of-service interfaces ge-0/0/20 scheduler-map ethernet-cos-map
To configure and apply CoS:

1.
Configure one-to-one mapping between eight forwarding classes and eight

queues:
user@switch# set forwarding-classes
2.
class
class
class
class
class
class
class
class
app queue-num 5
mail queue-num 1
db queue-num 2
erp queue-num 3
video queue-num 4
best-effort queue-num 0
voice queue-num 6
network-control queue-num 7
Define the firewall filter voip_class to classify the VoIP traffic:

[edit firewall]
user@switch# set family ethernet-switching filter voip_class
3.
Define the term voip:

[edit firewall]
from source-address 192.168.1.1/32
protocol udp
source-port 2698
then forwarding-class voice loss-priority low
4.
1378
Configuration
Define the term network_control:
voip_class term voip

[edit firewall]
user@switch# set family ethernet-switching filter voip_class term
network_control from precedence [net-control internet-control]
network_control then forwarding-class network-control loss-priority low
5.
Define the term best_effort_traffic with no match conditions:

[edit firewall]
best_effort_traffic then forwarding-class best-effort loss-priority low
6.
Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP
phones:
[edit interfaces]
voip_class
voip_class
7.
description phone1voip-ingress-port
unit 0 family ethernet-switching filter input
description phone2voip-ingress-port
Define the firewall filter video_class to classify the video traffic:

[edit firewall]
user@switch# set family ethernet-switching filter video_class
8.
Define the term video:

[edit firewall]
protocol udp
source-port 2979
then forwarding-class video loss-priority low
9.
video_class term video

Define the term network_control (for the video_class filter):

[edit firewall]
user@switch# set family ethernet-switching filter video_class term
10.
Define the term best_effort_traffic (for the video_class filter):

[edit firewall]
Configuration
1379
11.
Apply the firewall filter video_class as an input filter to the interface for the
surveillance camera:
[edit interfaces]
user@switch# set ge-0/0/2 description video-ingress-port
video_class
12.
Define the firewall filter app_class to classify the application server traffic:
[edit firewall]
user@switch# set family ethernet-switching filter app_class
13.
Define the term app:

[edit firewall]
protocol tcp
source-port [1494 2512 2513 2598 2897]
forwarding-class app loss-priority low
14.
filter app_class term app from

filter app_class term app
filter app_class term app
filter app_class term app then
Define the term mail:

[edit firewall]
user@switch# set family ethernet-switching filter app_class term mail from
user@switch# set family ethernet-switching filter app_class term mail
protocol tcp
user@switch# set family ethernet-switching filter app_class term mail
source-port [25 143 389 691 993 3268 3269]
user@switch# set family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low
15.
Define the term db:

[edit firewall]
protocol tcp
source-port [1521 1525 1527 1571 1810 2481]
forwarding-class db loss-priority low
16.
app_class term db from

app_class term db
app_class term db
app_class term db then
Define the term erp:

[edit firewall]
user@switch# set family ethernet-switching filter app_class term erp from
1380
Configuration
user@switch# set family ethernet-switching filter app_class term erp

protocol tcp
user@switch# set family ethernet-switching filter app_class term erp
source-port [3200 3300 3301 3600]
user@switch# set family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low
17.
Define the term network_control (for the app_class filter):

[edit firewall]
user@switch# set family ethernet-switching filter app_class term
18.
Define the term best_effort_traffic (for the app_class filter):

[edit firewall]
19.
Apply the firewall filter app_class as an input filter to the interfaces for the
servers hosting applications:
[edit interfaces]
app_class
app_class
app_class
app_class
20.

Configure schedulers:
user@switch# set schedulers voice-sched buffer-size percent 10
user@switch# set schedulers voice-sched priority strict-high
user@switch# set schedulers voice-sched transmit-rate percent 10
user@switch# set schedulers video-sched buffer-size percent 15
user@switch# set schedulers video-sched priority low
user@switch# set schedulers video-sched transmit-rate percent 15
user@switch# set schedulers app-sched buffer-size percent 10
user@switch# set schedulers app-sched priority low
user@switch# set schedulers app-sched transmit-rate percent 10
user@switch# set schedulers mail-sched buffer-size percent 5
user@switch# set schedulers mail-sched priority low
user@switch# set schedulers mail-sched transmit-rate percent 5
user@switch# set schedulers db-sched buffer-size percent 10
user@switch# set schedulers db-sched priority low
user@switch# set schedulers db-sched transmit-rate percent 10
user@switch# set schedulers erp-sched buffer-size percent 10
user@switch# set schedulers erp-sched priority low
user@switch# set schedulers erp-sched transmit-rate percent 10
user@switch# set schedulers nc-sched buffer-size percent 5
Configuration
1381
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#
21.
set
set
set
set
set
schedulers
schedulers
schedulers
schedulers
schedulers
nc-sched
nc-sched
be-sched
be-sched
be-sched
priority strict-high
transmit-rate percent 5
buffer-size percent 35
priority low
transmit-rate percent 35
Assign the forwarding classes to schedulers with the scheduler map

ethernet-cos-map:
user@switch# set scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class app
scheduler app-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class db
scheduler db-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class erp
scheduler erp-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
best-effort scheduler be-sched
22.
Associate the scheduler map with the outgoing interface:

[edit class-of-service interfaces]
user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map
Results

user@switch# show firewall
firewall family ethernet-switching {
filter voip_class {
term voip {
from {
source-address {
192.168.1.1/32;
192.168.1.2/32;
}
protocol udp;
source-port 2698;
}
then {
forwarding-class voice;
loss-priority low;
}
}
term network control {
from {
1382
Configuration
precedence [net-control internet-control];

}
then {
loss-priority low;
}
}
term best_effort_traffic {
then {
loss-priority low;
}
}
}
filter video_class {
term video {
from {
source-address {
192.168.1.14/32;
}
protocol udp;
source-port 2979;
}
then {
forwarding-class video;
loss-priority low;
}
}
from {
}
then {
loss-priority low;
}
}
then {
loss-priority low;
}
}
}
filter app_class {
term app {
from {
source-address {
192.168.1.23/32;
}
protocol tcp;
source-port [1491 2512 2513 2598 2897];
}
then {
forwarding-class app;
loss-priority low;
Configuration
1383
}
}
term mail {
from {
source-address {
192.168.1.24/32;
}
protocol tcp;
source-port [25 143 389 691 993 3268 3269];
}
then {
forwarding-class mail;
loss-priority low;
}
}
term db {
from {
source-address {
192.168.1.25/32;
}
protocol tcp;
source-port [1521 1525 1527 1571 1810 2481];
}
then {
forwarding-class db;
loss-priority low;
}
}
term erp {
from {
source-address {
192.168.1.26/32;
}
protocol tcp;
source-port [3200 3300 3301 3600];
}
then {
forwarding-class erp;
loss-priority low;
}
}
from {
}
then {
loss-priority low;
}
}
then {
loss-priority low;
}
}
1384
Configuration
}
}
user@switch# show class-of-service
class app queue-num 5;
class mail queue-num 1;
class db queue-num 2;
class erp queue-num 3;
class video queue-num 4;
class best-effort queue-num 0;
class voice queue-num 6;
class network-control queue-num 7;
}
schedulers {
voice-sched {
buffer-size percent 10;
priority strict-high;
transmit-rate percent 10;
}
video-sched {
priority low;
}
app-sched {
priority low;
}
mail-sched {
priority low;
}
db-sched {
priority low;
}
erp-sched {
priority low;
}
nc-sched {
priority strict-high;
}
be-sched {
priority low;
}
Configuration
1385
}
scheduler-maps {
ethernet-cos-map {
forwarding-class voice scheduler voice-sched;
forwarding-class video scheduler video-sched;
forwarding-class app scheduler app-sched;
forwarding-class mail scheduler mail-sched;
forwarding-class db scheduler db-sched;
forwarding-class erp scheduler erp-sched;
forwarding-class network-control scheduler nc-sched;
forwarding-class best-effort scheduler be-sched;
}
}
user@switch# show interfaces
ge-0/0/0 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet {
filter {
input video_class;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet {
filter {
1386
Configuration
input app_class;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
Verification
Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues on page 1387
Verifying That the Forwarding Classes Have Been Assigned to

Schedulers on page 1388
Verifying That the Scheduler Map Has Been Applied to the Interface on page 1389
Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues
Purpose
Action
Meaning
Verify that the following forwarding classes app, db, erp, mail, video, and voice have
been defined and mapped to queues.
user@switch> show class-of-service forwarding-class
Forwarding class
ID
Queue
app
0
5
db
1
2
erp
2
3
best-effort
3
0
mail
4
1
voice
5
6
video
6
4
network-control
7
7
This output shows that the forwarding classes have been defined and mapped to
appropriate queues.
Verification
1387
Verifying That the Forwarding Classes Have Been Assigned to Schedulers

Purpose
Action
Verify that the forwarding classes have been assigned to schedulers.

user@switch> show class-of-service scheduler-map
Scheduler map: ethernet-cos-map, Index: 2
Scheduler: voice-sched, Forwarding class: voice, Index: 22
Priority: Strict-high
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: video-sched, Forwarding class: video, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: app-sched, Forwarding class: app, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: mail-sched, Forwarding class: mail, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: db-sched, Forwarding class: db, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: erp-sched, Forwarding class: erp, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: be-sched, Forwarding class: best-effort, Index: 20
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
1388
Verifying That the Forwarding Classes Have Been Assigned to Schedulers
High
High
non-TCP
TCP
1
1
Scheduler: nc-sched, Forwarding class: network-control, Index: 22

Priority: Strict-high
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Meaning
This output shows that the forwarding classes have been assigned to schedulers.
Verifying That the Scheduler Map Has Been Applied to the Interface
Purpose
Action
Meaning
Related Topics
Verify that the scheduler map has been applied to the interface.
user@switch> show class-of-service interface
...
Physical interface: ge-0/0/20, Index: 149
Queues supported: 8, Queues in use: 8
Scheduler map: ethernet-cos-map, Index: 43366
Input scheduler map: <default>, Index: 3
...
This output shows that the scheduler map (ethernet-cos-map) has been applied to the
interface (ge-0/0/20).
Assigning CoS Components to Interfaces (CLI Procedure) on page 1407
1389
1390
Chapter 71
Configuring CoS
Configuring CoS (J-Web Procedure) on page 1391
Assigning CoS Components to Interfaces (J-Web Procedure) on page 1407
Configuring JUNOS EZQoS for CoS (CLI Procedure) on page 1409
Configuring CoS (J-Web Procedure)

The Class of Service Configuration pages allow you to configure the JUNOS CoS
components. You can configure forwarding classes for transmitting packets, define
which packets are placed into each output queue, and schedule the transmission
service level for each queue. After defining the CoS components you must assign
classifiers to the required physical and logical interfaces.
Using the Class of Service Configuration pages, you can configure various CoS
components individually or in combination to define particular CoS services.
To configure CoS components :
1.
In the J-Web interface, select Configure>Class of Service.
2.
On the Class of Service Configuration page, select one of the following options
depending on the CoS component that you want to define. Enter information
into the pages as described in the respective table:
Configuring CoS (J-Web Procedure)
1391
Related Topics
To define or edit CoS value aliases, select CoS Value Aliases .
To define or edit forwarding classes and assign queues, select Forwarding

Classes.
To define or edit classifiers, select Classifiers .
To define or edit rewrite rules, select Rewrite Rules.
To define or edit schedulers, select Schedulers.
To define or edit virtual channel groups, select Interface Associations.
3.
Click Apply after completing configuration on any Configuration page.
Defining CoS Code-Point Aliases (J-Web Procedure)

To define CoS Value Aliases, select Configure > Class of Service > CoS Value Aliases
in the J-Web interface.
Table 180 on page 1392 describes the related fields. By defining aliases you can assign
meaningful names to a particular set of bit values and refer to them when configuring
CoS components.
Table 180: CoS Value Aliases Configuration Pages Summary
Field
Function
Your Action
Allows you to define aliases for DiffServ code

point (DSCP) IPv4 values.
Click DSCP.
CoS Value Alias Summary
DSCP
You can refer to these aliases when you

configure classes and define classifiers.
IPv4 Precedence
Allows you to define aliases for IPv4

precedence values.
Click IPv4 Precedence.
Precedence values are modified in the IPv4

type-of-service (TOS) field and mapped to
values that correspond to levels of service.
Alias Name
1392
Displays names given to CoS valuesfor

example, af11 or be.
None.
Chapter 71: Configuring CoS
Table 180: CoS Value Aliases Configuration Pages Summary (continued)

Field
Function
Your Action
Default Value
Displays the default values mapped to standard

aliases. For example, ef (expedited forwarding)
is a standard alias for DSCP bits 101110.
None.
You cannot delete default values. The check

box next to these values is unavailable.
Configured Value
Displays the CoS values that you have assigned

to specific aliases.
None.
You can delete a configured alias.

Add
Opens a page that allows you to define CoS

value aliases.
Click Add.
Delete
Allows you to delete a configured CoS value

alias.
Select the check box next to the CoS value alias

and click Delete.
You cannot delete a default alias.

Add a CoS Value Alias
CoS Value Alias
Assigns a name to a CoS value. A CoS value

can be of different typesDSCP or IP
precedence.
To define an alias for a CoS value, type a

namefor example, my1.
CoS Value Alias Bits
Specifies the CoS value for which an alias is

defined.
To specify a CoS value, type it in an appropriate

format:
Changing this value alters the behavior of all

classifiers that refer to this alias.
Related Topics
For DSCP CoS values, use the format

xxxxxx, where x is 1 or 0for example,
101110.
For IP precedence CoS values, use the

format xxx, where x is 1 or 0for
example, 111.
Monitoring CoS Value Aliases on page 1417
1393
Defining CoS Code-Point Aliases (CLI Procedure)

You can use code-point aliases to streamline the process of configuring CoS features
on your EX Series switch. A code-point alias assigns a name to a pattern of code-point
bits. You can use this name instead of the bit pattern when you configure other CoS
components such as classifiers, drop-profile maps, and rewrite rules.
You can configure code-point aliases for the following CoS marker types:
DSCPHandles incoming IPv4 packets.
IEEE 802.1pHandles Layer 2 CoS.
Inet precedenceHandles incoming IPv4 packets. IP precedence mapping

requires only the higher order three bits of the DSCP field.
To configure a code-point alias for a specified CoS marker type (dscp), assign an alias
(my1) to the code-point (110001):
[edit class-of-service code-point-aliases]
user@switch# set dscp my1 110001
Related Topics
Defining CoS Classifiers (CLI Procedure)

Packet classification associates incoming packets with a particular CoS servicing
level. Classifiers associate packets with a forwarding class and loss priority and assign
packets to output queues based on the associated forwarding class. JUNOS Software
supports two general types of classifiers:
Behavior aggregate or CoS value traffic classifiersExamines the CoS value in

the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, orIEEE 802.1p value.
Multifield traffic classifiersExamines multiple fields in the packet such as source

and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.
The following example describes how to configure a BA classifier ba-classifier as the

default DSCP map and apply it to either a specific Gigabit Ethernet interface or to all
the Gigabit Ethernet interfaces on the switch. The BA classifier assigns loss priorities,
as shown in Table 181 on page 1395, to incoming packets in the four forwarding classes.
1394
Defining CoS Code-Point Aliases (CLI Procedure)
You can use the same procedure to set multifield classifiers (except that you would
use firewall filter rules).
Table 181: BA-classifier Loss Priority Assignments
Forwarding Class
For CoS Traffic Type
ba-classifier Assignment
be
Best-effort traffic
High-priority code point: 000001
ef
Expedited-forwarding traffic
af
Assured-forwarding traffic
nc
Network-control traffic
To configure a DSCP BA classifier named ba-classifier as the default DSCP map:
Associate code point 000001 with forwarding class be and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier import default forwarding-class be
loss-priority high code-points 000001
Associate code point 101110 with forwarding class ef and loss priority high:
user@switch# set dscp ba-classifier forwarding-class ef loss-priority high
code-points 101110
Associate code point 001100 with forwarding class af and loss priority high:
user@switch# set dscp ba-classifier forwarding-class af loss-priority high
code-points 001100
Associate code point 110001 with forwarding class nc and loss priority high:
user@switch# set dscp ba-classifier forwarding-class nc loss-priority high
code-points 110001
Apply the classifier to a specific interface or to all Gigabit Ethernet interfaces on

the switch.
To apply the classifier to a specific interface:

user@switch# set ge-0/0/0 unit 0 classifiers dscp ba-classifier
To apply the classifier to all Gigabit Ethernet interfaces on the switch, use
wildcards for the interface name and the logical-interface (unit) number:
Defining CoS Classifiers (CLI Procedure)
1395

user@switch# set ge-* unit * classifiers dscp ba-classifier
Related Topics
Monitoring CoS Classifiers on page 1411
Defining CoS Classifiers (J-Web Procedure)

Classifiers examine the CoS value or alias of an incoming packet and assign the
packet a level of service by setting its forwarding class and loss priority. To define
classifiers, select Configure > Class of Service > Classifiers in the J-Web interface.Table
182 on page 1396describes the related fields.
Table 182: Classifiers Configuration Page Summary
Field
Function
Your Action
DSCP
Defines classifiers for DSCP code point values.
Click DSCP.
IPv4 Precedence
Defines classifiers for IPv4 precedence values.
Classifier Name
Displays the names of classifiers.
To edit a classifier, click its name.
Classifier Summary
Allows you to edit a specific classifier.

Incoming Code Point
(Alias)
Displays CoS values and aliases to which

forwarding class and loss priority are mapped.
None.
Classify to Forwarding
Class
Displays forwarding classes that are assigned

to specific CoS values and aliases of a classifier.
None.
Classify to Loss Priority
Displays loss priorities that are assigned to

specific CoS values and aliases of a classifier.
None.
Add
Opens a page that allows you to define

classifiers.
To add a classifier, click Add.
Delete
Deletes a specified classifier.
To delete a classifier, locate the classifier, select

the check box next to it, and click Delete.
Add a Classifier/Edit Classifier
Classifier Name
1396
Specifies the name for a classifier.
To name a classifier, type the namefor

example, ba-classifier.
Table 182: Classifiers Configuration Page Summary (continued)

Field
Function
Your Action
Classifier Code Point

Mapping
Sets the forwarding classes and the packet loss

priorities (PLPs) for specific CoS values and
aliases.
None.
Incoming Code Point
Specifies the CoS value in bits and the alias of

a classifier for incoming packets.
To specify a CoS value and alias, either select

preconfigured ones from the list or type new
ones.
For information about forwarding classes and
aliases assigned to well-known DSCPs, see the
JUNOS Class of Service Configuration Guide.
Forwarding Class
Assigns the forwarding class to the specified

CoS value and alias.
Loss Priority
Assigns a loss priority to the specified CoS value

and alias.
Add
Assigns a forwarding class and loss priority to

the specified CoS value and alias.
To assign a forwarding class, select either one

of the following default forwarding classes or
one that you have configured:
expedited-forwardingProvides low loss,

low delay, low jitter, assured bandwidth,
and end-to-end service. Packets can be
forwarded out of sequence or dropped.
best-effortProvides no special CoS

handling of packets. Typically, RED drop
profile is aggressive and no loss priority is
defined.
assured-forwardingProvides high
assurance for packets within the specified
service profile. Excess packets are
dropped.
network-controlPackets can be delayed

but not dropped.
To assign a loss priority, select one:
highPacket has a high loss priority.
lowPacket has a low loss priority.
To assign a forwarding class and loss priority

to a specific CoS value and alias, click Add.
A classifier examines the incoming packet's

header for the specified CoS value and alias
and assigns it the forwarding class and loss
priority that you have defined.
Delete
Removes the forwarding class and loss priority

assignment from the classifier.
Related Topics
To remove the forwarding class and loss priority

assignment, select it and click Delete.
1397
Defining CoS Forwarding Classes (CLI Procedure)

Forwarding classes allow you to group packets for transmission. Based on forwarding
classes, you assign packets to output queues.
By default, four categories of forwarding classes are defined: best effort, assured
forwarding, expedited forwarding, and network control. EX Series switches support
up to 16 forwarding classes.
You can configure forwarding classes in one of the following ways:
Using class statementYou can configure up to 16 forwarding classes and you

can map multiple forwarding classes to single queue.
Using queue statementYou can configure up to 8 forwarding classes and you

can map one forwarding class to one queue.
This example uses the class statement to configure forwarding classes.
To configure CoS forwarding classes, map the forwarding classes to queues:

[edit class-of-service forwarding-classes]
user@switch# set class be queuenum 0
user@switch# set class ef queuenum 1
user@switch# set class af queuenum 2
user@switch# set class nc queuenum 3
user@switch# set class ef1 queuenum 4
user@switch# set class ef2 queuenum 5
user@switch# set class af1 queuenum 6
user@switch# set class nc1 queuenum 7
Related Topics
Monitoring CoS Forwarding Classes on page 1412
Defining CoS Forwarding Classes (J-Web Procedure)

To define forwarding classes, select Configure > Class of Service> Forwarding Classes
in the J-Web interface. Table 183 on page 1398 describes the related fields. By assigning
a forwarding class to a queue number, you affect the scheduling and marking of a
packet as it transits an EX Series switch.
Table 183: Forwarding Classes Configuration Pages Summary
Field
Function
Forwarding Class Summary
1398
Defining CoS Forwarding Classes (CLI Procedure)
Your Action
Table 183: Forwarding Classes Configuration Pages Summary (continued)

Field
Function
Your Action
Queue #
Displays internal queue numbers to which

forwarding classes are assigned.
To edit an assigned forwarding class, click the

queue number to which the class is assigned.
By default, if a packet is not classified, it is

assigned to the class associated with queue 0.
You can have more than one forwarding class
to a queue number.
Allows you to edit an assigned forwarding class.
Displays the forwarding class names assigned

to specific internal queue numbers.
None.
By default, four forwarding classes are assigned

to queue numbers 0 (best-effort), 1
(assured-forwarding), 5 (expedited-forwarding),
and 7 (network-connect).
Add
Opens a page that allows you to assign

forwarding classes to internal queue numbers.
To add a forwarding class, click Add.
Add a Forwarding Class/Edit Forwarding Class Queue #
Queue #
Specifies the internal queue number to which

a forwarding class is assigned.
To specify an internal queue number, type an

integer from 0 through 7, as supported by your
platform.
Specifies the forwarding class name assigned

to the internal queue number.
To assign a forwarding class name to a queue,

type the namefor example, be-class.
Related Topics
Defining CoS Forwarding Classes (J-Web Procedure)
1399
Defining CoS Schedulers (CLI Procedure)

You use schedulers to define the CoS properties of output queues. These properties
include the amount of interface bandwidth assigned to the queue, the size of the
memory buffer allocated for storing packets, the priority of the queue, and the tail
drop profiles associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues and packet schedulers that operate according to this mapping.
You can associate up to four user-defined scheduler maps with the interfaces.
To configure CoS schedulers using the CLI:
1.
Create a scheduler (be-sched) with low priority:

[edit class-of-service schedulers]
user@switch# set be-sched priority low
2.
Configure a scheduler map (be-map) that associates the scheduler (be-sched) with
the forwarding class (best-effort):
[edit class-of-service scheduler-maps]
user@switch# set be-map forwarding-class best-effort scheduler be-sched
3.
Assign the scheduler map (be-map) to a Gigabit Ethernet interface (ge-0/0/1):

user@switch# set ge-0/0/1 scheduler-map be-map
4.
Alternatively to assign the scheduler map (be-map) to all the Gigabit Ethernet
interfaces using wild cards (ge-*):
user@switch# set ge-* scheduler-map be-map
Related Topics
1400
Monitoring CoS Scheduler Maps on page 1415
Defining CoS Schedulers (CLI Procedure)
Defining CoS Schedulers (J-Web Procedure)

Using schedulers, you can assign attributes to queues and thereby provide congestion
control for a particular class of traffic. These attributes include the amount of interface
bandwidth, memory buffer size, transmit rate, and schedule priority.
To configure schedulers using the Configuration pages:
1.
Create a scheduler and specify attributes for it. For a description of

scheduler-related fields, see Table 184 on page 1401.
2.
Associate the scheduler to a forwarding class. Because the forwarding class is

assigned to a queue number, the queue inherits this scheduler's attributes. For
a description of scheduler map-related fields, see Table 184 on page 1401.
Table 184: Schedulers Configuration Page Summary

Field
Function
Your Action
Displays the names of defined schedulers.
To edit a scheduler, click its name.
Scheduler Summary
Scheduler Name
Allows you to edit a specific scheduler.

Scheduler Information
Displays a summary of defined settings for a

scheduler, such as bandwidth, delay buffer size,
and transmit rates.
None.
Add
Opens a page that allows you to add a

scheduler.
Click Add.
Delete
Removes a scheduler.
Click Delete.
Add a Scheduler/Edit Scheduler
Scheduler Name
Specifies the name for a scheduler.
To name a scheduler, type the namefor

example, be-scheduler.
1401
Table 184: Schedulers Configuration Page Summary (continued)

Field
Function
Your Action
Buffer Size
Defines the size of the delay buffer.
To define a delay buffer size for a scheduler,

select the appropriate option:
By default, queues 0 through 7 have the

following percentage of the total available
buffer space:
Queue 095 percent
Queue 10 percent
Queue 20 percent
Queue 30 percent
Queue 40 percent
Queue 50 percent
Queue 60 percent
Queue 75 percent
To specify no buffer size, select

Unconfigured.
To specify buffer size as a percentage of

the total buffer, select Percent and type
an integer from 1 through 100.
To specify buffer size as the remaining

available buffer, select Remainder.
NOTE: A large buffer size value correlates with

a greater possibility of packet delays. This
might not be practical for sensitive traffic such
as voice or video.
Scheduling Priority
Sets the transmission priority of the scheduler,

which determines the order in which an output
interface transmits traffic from the queues.
To specify a priority, select one:
lowPackets in this queue are transmitted

last.
You can set scheduling priority at different

levels in an order of increasing priority from
low to high.
stricthighPackets in this queue are

transmitted first.
A high-priority queue with a high transmission

rate might lock out lower-priority traffic.
Transmit Rate
Defines the transmission rate of a scheduler.

The transmit rate determines the traffic
bandwidth from each forwarding class you
configure.
By default, queues 0 through 7 have the
following percentage of transmission capacity:
1402
Queue 095 percent
Queue 10 percent
Queue 20 percent
Queue 35 percent
Queue 40 percent
Queue 60 percent
Queue 75 percent
To define a transmit rate, select the appropriate

option:
To not specify transmit rate, select

Unconfigured.
To specify the remaining transmission

capacity, select Remainder Available.
To specify a percentage of transmission

capacity, select Percent and type an
integer from 1 through 100.
To enforce the exact transmission rate or

percentage you configured, select the Exact
Transmit Rate check box.
Table 185: Scheduler Maps Configuration Page Summary

Field
Function
Your Action
Displays the names of defined scheduler maps.

Scheduler maps link schedulers to forwarding
classes.
To edit a scheduler map, click its name.
Scheduler Maps Summary
Scheduler Map Name
Allows you to edit a scheduler map.

Scheduler Map Information
For each map, displays the schedulers and the

forwarding classes that they are assigned to.
None.
Add
Opens a page that allows you to add a

scheduler map.
Click Add.
Delete
Removes a scheduler map.
Select it and click Delete.
Add a Scheduler Map/Edit Scheduler Map
Scheduler Map Name
Specifies the name for a scheduler map.
To name a map, type the namefor example,

be-scheduler-map.
Scheduler Mapping
Allows you to associate a preconfigured

scheduler with a forwarding class.
To associate a scheduler with a forwarding class,

locate the forwarding class and select the
scheduler in the box next to it.
After scheduler maps have been applied to an

interface, they affect the hardware queues,
packet schedulers.
Related Topics
Configuring CoS Tail Drop Profiles (CLI Procedure)

Tail drop is a simple and effective traffic congestion avoidance mechanism. When
you apply this mechanism to manage congestion, packets are dropped when the
output queue is full.
To configure CoS tail-drop profiles, create a drop profile name (be-dp) and assign a
fill level (25):
[edit class-of-service drop-profiles]
user@switch# set be-dp fill-level 25
Related Topics
Configuring CoS Tail Drop Profiles (CLI Procedure)
1403
Defining CoS Rewrite Rules (CLI Procedure)

You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of an EX Series switch to match the policies of a targeted peer. Policy
matching allows the downstream routing platform or switch in a neighboring network
to classify each packet into the appropriate service group.
To configure a CoS rewrite rule, create the rule by giving it a name and associating
it with a forwarding class, loss priority, and a code point, thus creating a rewrite
table. After the rewrite rule is created, enable it on an interface. You can also apply
an existing rewrite rule on an interface.
NOTE: To replace an existing rewrite rule on the interface with a new rewrite rule
of the same type, first explicitly remove the rewrite rule and then apply the new rule.
NOTE: Custom rewrite-rule bindings are implemented through filters. And custom
rewrite rules cannot be bound to routed VLAN interfaces (RVIs).
To create rewrite rules and enable them on interfaces:
To create an 802.1p rewrite rule named customup-rw in the rewrite table for all
Layer 2 interfaces:
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority
low code-point 000
user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority
high code-point 001
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority
low code-point 010
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority
high code-point 011
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority
low code-point 100
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority
high code-point 101
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority
low code-point 110
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority
high code-point 111
To enable an 802.1p rewrite rule named customup-rw on a Layer 2 interface:

[edit]
user@switch# set class-of-service interfaces ge-0/0/0 unit 0 rewrite-rules
ieee-802.1 customup-rw
1404
Defining CoS Rewrite Rules (CLI Procedure)
To enable an 802.1p rewrite rule named customup-rw on all Gigabit Ethernet

interfaces on the switch, use wildcards for the interface name and logical-interface
(unit) number:
[edit]
user@switch# set class-of-service interfaces ge-* unit * rewrite-rules
customup-rw
Related Topics
Monitoring CoS Rewrite Rules on page 1414
Defining CoS Rewrite Rules (J-Web Procedure)

To define rewrite rules, select Configure > Class of Service > Rewrite Rules in the
J-Web interface. Table 186 on page 1405 describes the related fields. Use the rewrite
rules to alter the CoS values in outgoing packets to meet the requirements of the
targeted peer. A rewrite rule examines the forwarding class and loss priority of a
packet and sets its bits to a corresponding value specified in the rule.
Table 186: Rewrite Rules Configuration Page Summary
Field
Function
Your Action
DSCP
Redefines DSCP code point values of outgoing

packets.
Click DSCP.
IPv4 Precedence
Redefines IPv4 precedence code point values.
Rewrite Rule Name
Displays names of defined rewrite rules.
To edit a rule, click its name.
Rewrite Rules Summary
Allows you to edit a specific rule.

Forwarding Class
Displays forwarding classes associated with a

specific rewrite rule.
None.
Loss Priority
Displays loss priority values associated with a

specific rewrite rule.
None.
Rewrite Outgoing Code

Point To
Displays the CoS values and aliases that a

specific rewrite rule has set for a specific
forwarding class and loss priority.
None.
Add
Opens a page that allows you to define a new

rewrite rule.
To add a rewrite rule, click Add.
Delete
Removes specified rewrite rules.
To remove a rule, select the check box next to

it and click Delete.
1405
Table 186: Rewrite Rules Configuration Page Summary (continued)

Field
Function
Your Action
Add a Rewrite Rule/Edit Rewrite Rule
Rewrite Rule Name
Specifies a rewrite rule name.
To name a rule, type the namefor example,

rewrite-dscps.
Code Point Mapping
Rewrites outgoing CoS values of a packet based

on the forwarding class and loss priority.
To configure the CoS value assignment, follow

these steps:
Allows you to remove a code point mapping

entry.
1.
From the Forwarding Class list, select a

class.
2.
Select a priority from the following:
3.
lowRewrite rule applies to packets

with a low loss priority.
highRewrite rule applies to packets

with a high loss priority.
For Rewritten Code Point, either select a

predefined CoS value and alias or type a
new CoS value and alias.
For information about predefined CoS
values and aliases, see the JUNOS Class of
Service Configuration Guide.
4.
Click Add.
To remove a code point mapping entry, select

it and click Delete.
Related Topics
1406
Assigning CoS Components to Interfaces (CLI Procedure)

After you have defined the following CoS components, you must assign them to
logical or physical interfaces.
Forwarding classesAssign only to logical interfaces.
ClassifiersAssign only to logical interfaces.
Scheduler mapsAssign to either physical or logical interfaces.
Rewrite rulesAssign to either physical or logical interfaces.
You can assign a CoS component to a single interface or to multiple interfaces using
wild cards.
To assign CoS components to interfaces:
To assign CoS components to a single interface, associate a CoS component (for

example a scheduler map named ethernet-cos-map) with an interface:
user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map
To assign a CoS component to multiple interfaces, associate a CoS component (for

example, a rewrite rule named customup-rw) to all Gigabit Ethernet interfaces on the
switch, use wild characters for the interface name and logical-interface (unit) number:
user@switch# set ge-* unit * rewrite-rules ieee-802.1 customup-rw
Related Topics
Monitoring Interfaces That Have CoS Components on page 1413
Assigning CoS Components to Interfaces (J-Web Procedure)

After you have defined CoS components, you must assign them to logical or physical
interfaces. The CoS Configuration pages allow you to assign scheduler maps to
physical or logical interfaces and to assign forwarding classes, or classifiers to logical
interfaces.
To assign CoS components to interfaces:
1.
In the J-Web interface, select Configure>Class of Service>Interface Association.
2.
Enter information into these pages, as described in Table 187 on page 1408.
Assigning CoS Components to Interfaces (CLI Procedure)
1407
3.
Click one:
Click OK to apply changes to the configuration.
Click Cancel to cancel without saving changes.
Table 187: Assigning CoS Components to Interfaces

Field
Function
Your Action
Add CoS Service to a Physical Interface/Edit CoS Physical Interface

Physical Interface
Name
Specifies the name of a physical interface. Allows

you to assign CoS components to a set of interfaces
at the same time.
To specify an interface for CoS assignment, type

its name in the Physical Interface Name box.
To specify a set of interfaces for CoS assignment,
use the wildcard character (*)for example,
ge-0/*/0.
Scheduler Map
Specifies a predefined scheduler map for the physical

interface.
To specify a map for an interface, select it from

the Scheduler Map list.
A scheduler map enables the physical interface to

have more than one set of output queues.
Add
Allows you to add a CoS service to a logical interface

on a specified physical interface.
To add a CoS Service to a logical interface, click

Add.
Add CoS Service to a Logical Interface Unit/Edit CoS Logical Interface Unit
Logical Interface
Unit Name
Specifies the name of a logical interface. Allows you

to assign CoS components to a logical interface
configured on a physical interface at the same time.
To specify an interface for CoS assignment, type

the interface name in the Logical Interface Unit
Name box.
To assign CoS services to all logical interfaces
configured on this physical interface, type the
wildcard character (*).
Forwarding Class
Assigns a predefined forwarding class to incoming

packets on a logical interface.
To assign a forwarding class to the interface,

select the forwarding class.
Classifiers
Allows you to apply classification maps to a logical

interface. Classifiers assign a forwarding class and
loss priority to an incoming packet based on its CoS
value.
To assign a classification map to the interface,

select an appropriate classifier for each CoS value
type used on the interface.
Rewrite Rules
Allows you to alter the CoS values in outgoing packets

to meet the requirements of the targeted peer. A
rewrite rule examines the forwarding class and loss
priority of a packet and sets its bits to a
corresponding value specified in the rule.
To assign rewrite rules to the interface, select the

appropriate rewrite rule for each CoS value type
used on the interface.
Related Topics
1408
Assigning CoS Components to Interfaces (J-Web Procedure)
Configuring JUNOS EZQoS for CoS (CLI Procedure)

You use JUNOS EZQoS on EX Series switches to eliminate the complexities involved
in configuring class of service (CoS) across the network. EZQoS offers templates for
key traffic classes.
When you configure EZQoS on EX Series switches, preconfigured values are assigned
to all CoS parameters based on the typical application requirements. These
preconfigured values are stored in a template with a unique name.
NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP
applications. The EZQoS VoIP template is stored in /etc/config/ezqos-voip.conf.
To configure EZQoS using the CLI:
1.
Load the EZQoS configuration file (/etc/config/ezqos-voip.conf):

[edit]
user@switch# load merge /etc/config/ezqos-voip.conf
2.
Apply the EZQoS group (ezqos-voip):

[edit]
user@switch# set apply-groups ezqos-voip
3.
Apply the DSCP classifier (ezqos-dscp-classifier) to a Gigabit Ethernet interface

(ge-0/0/0):
user@switch# set ge-0/0/0 unit 0 classifiers dscp ezqos-dscp-classifier
4.
Apply the scheduler map (ezqos-voip-sched-maps) to a Gigabit Ethernet interface

(ge-0/0/1):
user@switch# set ge-0/0/1 scheduler-map ezqos-voip-sched-maps
Related Topics
Understanding JUNOS EZQoS for CoS Configurations on EX Series Switches on

page 1370
1409
1410
Chapter 72
Verifying CoS
Monitoring CoS Classifiers

Purpose
Action
Use the monitoring functionality to display the mapping of incoming CoS values to
forwarding class and loss priority for each classifier.
To monitor CoS classifiers in the J-Web interface, select Monitor>Class of
Service>Classifiers
To monitor CoS classifiers in the CLI, enter the following CLI command:
show class-of-service classifier
Meaning
Table 188 on page 1411 summarizes key output fields for CoS classifiers.
Table 188: Summary of Key CoS Classifier Output Fields

Field
Values
Classifier Name
Name of a classifier.
To display classifier assignments, click the

plus sign (+).
CoS Value Type
The classifiers are displayed by type:
dscpAll classifiers of the DSCP type.
ieee-802.1All classifiers of the IEEE
802.1 type.
inet-precedenceAll classifiers of the
IP precedence type.
Index
Internal index of the classifier.
Monitoring CoS Classifiers
1411
Table 188: Summary of Key CoS Classifier Output Fields (continued)

Field
Values
Incoming CoS Value
CoS value of the incoming packets, in bits.

These values are used for classification.
Assign to Forwarding Class
Forwarding class that the classifier assigns

to an incoming packet. This class affects the
forwarding and scheduling policies that are
applied to the packet as it transits the
switch.
Assign to Loss Priority
Loss priority value that the classifier assigns

to the incoming packet based on its CoS
value.
Related Topics
Monitoring CoS Forwarding Classes

Purpose
Use the monitoring functionality to view the current assignment of CoS forwarding
classes to queue numbers on the system.
Action
To monitor CoS forwarding classes in the J-Web interface, select Monitor>Class of

Service>Forwarding Classes.
To monitor CoS forwarding classes in the CLI, enter the following CLI command:
show class-of-service forwarding-class
Meaning
1412
Table 189 on page 1413 summarizes key output fields for CoS forwarding classes.
Monitoring CoS Forwarding Classes
Chapter 72: Verifying CoS
Table 189: Summary of Key CoS Forwarding Class Output Fields

Field
Values
Forwarding Class
Names of forwarding classes assigned to

queue numbers. By default, the following
forwarding classes are assigned to queues
0, 1, 5, or 7:
best-effortProvides no special CoS
handling of packets. Loss priority is

typically not carried in a CoS value.
expedited-forwardingProvides low loss,
low delay, low jitter, assured

bandwidth, and end-to-end service.
assured-forwardingProvides high
assurance for packets within specified

service profile. Excess packets are
dropped.
network-controlPackets can be
delayed but not dropped.

Queue
Queue number corresponding to the

forwarding class name.
Related Topics
By default, four queues, 0, 1, 5 or 7, are

assigned to forwarding classes.
Monitoring Interfaces That Have CoS Components

Purpose
Action
Use the monitoring functionality to display details about the physical and logical
interfaces and the CoS components assigned to them.
To monitor interfaces that have CoS components in the J-Web interface, select
Monitor>Class of Service>Interface Association.
To monitor interfaces that have CoS components in the CLI, enter the following
command:
show class-of-service interface interface
Meaning
Table 190 on page 1413 summarizes key output fields for CoS interfaces.
Table 190: Summary of Key CoS Interfaces Output Fields

Field
Values
Interface
Name of a physical interface to which CoS

components are assigned.
To display names of logical interfaces

configured on this physical interface, click
the plus sign (+).
Monitoring Interfaces That Have CoS Components
1413
Table 190: Summary of Key CoS Interfaces Output Fields (continued)

Field
Values
Scheduler Map
Name of the scheduler map associated with

this interface.
Queues Supported
Number of queues you can configure on the

interface.
Queues in Use
Number of queues currently configured.
Logical Interface
Name of a logical interface on the physical

interface to which CoS components are
assigned.
Object
Category of an objectfor example,

classifier, scheduler-map, or rewrite.
Name
Name that you have given to an objectfor

example, ba-classifier.
Type
Type of an objectfor example, dscp for a

classifier.
Index
Index of this interface or the internal index

of a specific object.
Related Topics
Monitoring CoS Rewrite Rules

Purpose
Action
Use the monitoring functionality to display information about CoS value rewrite rules,
which are based on the forwarding class and loss priority.
To monitor CoS rewrite rules in the J-Web interface, select Monitor>Class of
Service>Rewrite Rules.
To monitor CoS rewrite rules in the CLI, enter the following command:
show class-of-service rewrite-rules
Meaning
Table 191 on page 1414 summarizes key output fields for CoS rewrite rules.
Table 191: Summary of Key CoS Rewrite Rules Output Fields

Field
Values
Rewrite Rule Name
Names of rewrite rules.
1414
Monitoring CoS Rewrite Rules
Table 191: Summary of Key CoS Rewrite Rules Output Fields (continued)
Field
Values
CoS Value Type
Rewrite rule type:
To display forwarding classes, loss priorities,

and rewritten CoS values, click the plus sign
(+).
dscpFor IPv4 DiffServ traffic.
ieee-802.1For Layer 2 traffic.
inet-precedenceFor IPv4 traffic.
Index
Internal index for this particular rewrite rule.
Forwarding Class
Forwarding class that is used to determine

CoS values for rewriting in combination with
loss priority.
Loss Priority
Loss priority that is used to determine CoS

values for rewriting in combination with
forwarding class.
Rewrite CoS Value To
Value that the CoS value is rewritten to.
Related Topics
Rewrite rules are applied to CoS values in

outgoing packets based on forwarding class
and loss priority setting.
Monitoring CoS Scheduler Maps

Purpose
Action
Use the monitoring functionality to display assignments of CoS forwarding classes

to schedulers.
To monitor CoS scheduler maps in the J-Web interface, select Monitor>Class of
Service>Scheduler Maps.
To monitor CoS scheduler maps in the CLI, enter the following CLI command:
show class-of-service scheduler-map
Meaning
Table 192 on page 1415 summarizes key output fields for CoS scheduler maps.
Table 192: Summary of Key CoS Scheduler Maps Output Fields

Field
Values
Scheduler Map
Name of a scheduler map.
For details, click the plus sign (+).
Index
Index of a specific objectscheduler maps,

schedulers, or drop profiles.
Scheduler Name
Name of a scheduler.
1415
Table 192: Summary of Key CoS Scheduler Maps Output Fields (continued)
Field
Values
Forwarding Class
Forwarding classes this scheduler is

assigned to.
Transmit Rate
Configured transmit rate of the scheduler

in bits per second (bps). The rate value can
be either of the following:
A percentageThe scheduler receives

the specified percentage of the total
interface bandwidth.
remainder The scheduler receives the
remaining bandwidth of the interface

after bandwidth allocation to other
schedulers.
Buffer Size
Delay buffer size in the queue or the amount

of transmit delay (in milliseconds). The
buffer size can be either of the following:
A percentageThe buffer is a
percentage of the total buffer
allocation.
remainderThe buffer is sized
according to what remains after other

scheduler buffer allocations.
Priority
Scheduling priority of a queue:
strict-highPackets in this queue are
transmitted first.
lowPackets in this queue are
transmitted last.
Drop Profiles
Name and index of a drop profile that is

assigned to a specific loss priority and
protocol pair.
Loss Priority
Packet loss priority corresponding to a drop

profile.
Protocol
Transport protocol corresponding to a drop

profile.
Drop Profile Name
Name of the drop profile.
Index
Index of a specific objectscheduler maps,

schedulers, or drop profiles.
Related Topics
1416
Monitoring CoS Value Aliases

Purpose
Action
Use the monitoring functionality to display information about the CoS value aliases
that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4
precedence bits.
To monitor CoS value aliases in the J-Web interface, select Monitor>Class of
Service>CoS Value Aliases.
To monitor CoS value aliases in the CLI, enter the following command:
show class-of-service code-point-aliases
Meaning
Table 193 on page 1417 summarizes key output fields for CoS value aliases.
Table 193: Summary of Key CoS Value Alias Output Fields

Field
Values
CoS Value Type
Type of the CoS value:
To display aliases and bit patterns, click the

plus sign (+).
dscpExamines Layer 3 packet
headers for IP packet classification.
ieee-802.1Examines Layer 2 packet
headers for packet classification.
inet-precedenceExamines Layer 3
packet headers for IP packet

classification.
CoS Value Alias
Name given to a set of bitsfor example,

af11 is a name for 001010 bits.
CoS Value
Set of bits associated with an alias.
Related Topics
1417
1418
Chapter 73
Configuration Statements for CoS
[edit class-of-service] Configuration Statement Hierarchy on page 1419

class-of-service {
classifiers {
loss-priority loss-priority {
}
}
}
}
alias-name bits;
}
}
}
interfaces {
interface-name {
classifiers {
}
}
}
}
multi-destination {
family {
ethernet {
}
inet {
classifiers{
1419
}
}
}
}
rewrite-rules {
loss-priority loss-priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
}
}
schedulers {
scheduler-name {
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
}
}
}
Related Topics
1420

Chapter 73: Configuration Statements for CoS
broadcast
Syntax
Hierarchy Level
Release Information
Description
Options

Related Topics
[edit class-of-service multi-destination family ethernet]

Specify the forwarding class for the broadcast traffic belonging to the Ethernet family.
forwarding-class-name Name of the forwarding class:
mcast-afDefault forwarding class for assured forwarding of multicast traffic.
mcast-beDefault best-effort forwarding class for multicast traffic.
mcast-efDefault forwarding class for expedited forwarding of multicast traffic.

broadcast
1421
buffer-size
Syntax
Hierarchy Level
Release Information
Description

[edit class-of-service schedulers scheduler-name]

Specify buffer size.
Default
If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options
percent percentage Buffer size as a percentage of total buffer.

remainderRemaining buffer available.

Related Topics
1422
buffer-size

class
Syntax
Hierarchy Level
Release Information
Description
Options

[edit class-of-service forwarding-classes]

Configure up to 16 forwarding classes with multiple forwarding classes mapped to
single queues. If you want to configure up to eight forwarding classes with one-to-one
mapping to output queues, use the queue statement instead of the class statement
at the [edit class-of-service forwarding-classes] hierarchy level.
class-name Name of forwarding class..
queue-num queue-number Output queue number.
Range: 0 through 15.

Related Topics

class
1423
class-of-service
Syntax
1424
class-of-service
class-of-service {
classifiers {
loss-priority level {
}
}
}
}
alias-name bits;
}
}
}
interfaces {
interface-name {
classifiers {
}
}
}
}
multi-destination {
family {
ethernet {
}
inet {
classifiers {
}
}
}
}
rewrite-rules {
loss-priority priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
}
}
schedulers {
scheduler-name {
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
}
}
}
Hierarchy Level
Release Information
Description
[edit]

Option multi-destination introduced in JUNOS Release 9.5 for EX Series switches.
Configure class-of-service parameters on EX Series switches.
Default
Related Topics
If you do not configure any CoS features, the default CoS settings are used.

class-of-service
1425
classifiers
Syntax
Hierarchy Level
Release Information
Description
classifiers {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
}
[edit class-of-service],
[edit class-of-service interfaces interface-name unit logical-unit-number]

Apply a CoS aggregate behavior classifier to a logical interface. You can apply a
default classifier or one that has been previously defined.

Related Topics
1426
classifiers


code-point-aliases
Syntax
Hierarchy Level
Release Information
Description
alias-name bits;
}
}

Define an alias for a CoS marker.

Related Topics

code-points
Syntax
Hierarchy Level
Release Information
Description
Options

[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) forwarding-class
class-name loss-priority level]

Specify one or more DSCP code-point aliases or bit sets for association with a
forwarding class.
aliases Name of the DSCP alias.
6 bit-patterns Value of the code-point bits, in decimal form.

Related Topics

code-point-aliases
1427
drop-profile-map
Syntax
Hierarchy Level
Release Information
Description
Options


Define the loss priority value for the specified drop profile.
drop-profile profile-name Name of the drop profile.

Related Topics
1428

drop-profile-map
dscp
Syntax
Hierarchy Level
Release Information
Description
Options
dscp classifier-name {
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],

Define the Differentiated Services code point (DSCP) mapping that is applied to the
packets.
classifier-name Name of the classifier.

Related Topics


dscp
1429
ethernet
Syntax
Hierarchy Level
Release Information
Description
ethernet {
}
[edit class-of-service multi-destination family]

Specify the Ethernet broadcast traffic family.

Related Topics

family
Syntax
Hierarchy Level
Release Information
Description
family {
ethernet {
}
inet {
classifiers{
}
}
}
[edit class-of-service multi-destination]

Specify the multidestination traffic family.

Related Topics
1430
ethernet

forwarding-class
Syntax
Hierarchy Level
Release Information
Description
Options
}
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]

Define forwarding class name and option values.
class-name Name of the forwarding class.

Related Topics

forwarding-class
1431
ieee-802.1
Syntax
Hierarchy Level
Release Information
Description
Options
ieee-802.1 classifier-name {
}
}
}

Apply an IEEE-802.1 rewrite rule.
classifier-name Name of the classifier.

Related Topics
1432
ieee-802.1

import
Syntax
Hierarchy Level
Release Information
Description
Options

[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name]

Specify a default or previously defined classifier.
classifier-name Name of the classifier mapping configured at the [edit class-of-service
classifiers] hierarchy level.
defaultDefault classifier mapping.

Related Topics

import
1433
inet
Syntax
Hierarchy Level
Release Information
Description
inet {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name ;
}
}
[edit class-of-service multi-destination family]
Option inet introduced in JUNOS Release 9.5 for EX Series switches.

Specify the IP multicast family.

Related Topics
1434
inet

inet-precedence
Syntax
Hierarchy Level
Release Information
inet-precedence classifier-name {
}
}
}
Description
Apply an IPv4 precedence rewrite rule.
Options
classifier-nameName of the classifier.


Related Topics

inet-precedence
1435
interfaces
Syntax
Hierarchy Level
Release Information
Description
Options
interfaces {
interface-name {
classifiers {
}
}
}
}

Configure interface-specific CoS properties for incoming packets.
interface-name Name of the interface.

Related Topics
1436
interfaces

loss-priority
Syntax
Hierarchy Level
Release Information
Description
Options
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name
forwarding-class class-name],
[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name
forwarding-class class-name]

Specify packet loss priority value for a specific set of code-point aliases and bit
patterns.
level Can be one of the following:
highPacket has high loss priority.
lowPacket has low loss priority.

Related Topics

loss-priority
1437
multi-destination
Syntax
Hierarchy Level
Release Information
Description
multi-destination {
family {
ethernet {
}
inet {
classifiers {
}
}
}
}

Define the CoS configuration for multidestination traffic.

Related Topics
1438

multi-destination
priority
Syntax
Hierarchy Level
Release Information
Description
Options

Related Topics
priority priority;

Specify packet-scheduling priority value.
priority It can be one of the following:
lowScheduler has low priority.
strict-highScheduler has strictly high priority.

protocol
Syntax
Hierarchy Level
Release Information
Description
Options
protocol protocol drop-profile profile-name;


Specify the protocol type for the specified drop profile.
drop-profile profile-name Name of the drop profile.
protocol Type of protocol. It can be:

Related Topics
anyAccept any protocol type.

priority
1439
rewrite-rules
Syntax
Hierarchy Level
Release Information
Description
rewrite-rules {
loss-priority level code-point (alias | bits);
}
}
}

Specify a rewrite-rules mapping for the traffic that passes through all queues on the
interface.

Related Topics
1440
rewrite-rules

scheduler-map
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
[edit class-of-service interfaces],
[edit class-of-service multi-destination]

Associate a scheduler map name with an interface or with a multidestination traffic
configuration.
map-name Name of the scheduler map.


scheduler-map
1441
scheduler-maps
Syntax
Hierarchy Level
Release Information
Description
Options
scheduler-maps {
map-name {
}
}

Specify a scheduler map name and associate it with the scheduler configuration and
forwarding class.
map-name Name of the scheduler map.

Related Topics
1442
scheduler-maps

schedulers
Syntax
Hierarchy Level
Release Information
Description
Options
schedulers {
scheduler-name {
priority priority;
}
}

Specify scheduler name and parameter values.
scheduler-name Name of the scheduler.

Related Topics

schedulers
1443
shaping-rate
Syntax
Hierarchy Level
Release Information
Description
shaping-rate (percent percentage | rate);


Configure shaping rate to throttle the rate at which queues transmit packets.
We recommend that you configure the shaping rate as an absolute maximum usage
and not as additional usage beyond the configured transmit rate.
Default
If you do not include this statement, the default shaping rate is 100 percent, which
is the same as no shaping at all.
Options
percentpercentage Shaping rate as a percentage of the available interface bandwidth.
Range: 0 through 100 percent

ratePeak rate, in bits per second (bps). You can specify a value in bits per second
either as a complete decimal number or as a decimal number followed by the

abbreviation k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 32,000,000,000 bps
Related Topics
1444
shaping-rate

transmit-rate
Syntax
Hierarchy Level
Release Information
Description


Specify the transmit rate or percentage for a scheduler.
Default
If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options
rate Transmission rate, in bps. You can specify a value in bits per second either
as a complete decimal number or as a decimal number followed by the

abbreviation k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 160,000,000,000 bps
percent percentage Percentage of transmission capacity. A percentage of zero
drops all packets in the queue.

Range: 0 through 100 percent
remainderRemaining rate available
Related Topics

transmit-rate
1445
unit
Syntax
Hierarchy Level
Release Information
Description
Options
classifiers {
}
}
[edit class-of-service interfaces interface-name]

Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.
logical-unit-number Number of the logical unit.

Related Topics
1446
unit


Chapter 74
1447
show class-of-service
Syntax
Release Information
Description
Options
Related Topics

Output Fields

Display the class of service (CoS) information.
This command has no options.
view
show class-of- service on page 1449

Table 194 on page 1448 lists the output fields for the show class-of-service command.
Table 194: show class-of-service Output Fields

Field Name
Field Description
Level of Output
Forwarding class
The forwarding class configuration:
All levels
Code point type
Forwarding className of the forwarding class.
IDForwarding class ID.
QueueQueue number.
The type of code-point alias:
dscpAliases for DiffServ code point (DSCP) values.
ieee802.1Aliases for IEEE 802.1p values.
inet-precedenceAliases for IP precedence values.
All levels
Alias
Names given to CoS values.
All levels
Bit pattern
Set of bits associated with an alias.
All levels
Classifier
Name of the classifier.
All levels
Code point
Code-point values.
All levels
Loss priority
Loss priority assigned to specific CoS values and aliases of the classifier.
All levels
1448
Chapter 74: Operational Mode Commands for CoS
Table 194: show class-of-service Output Fields (continued)

Field Name
Field Description
Level of Output
Rewrite rule
Name of the rewrite-rule.
All levels
Drop profile
All levels
Type
Type of drop profile. EX Series switches support only the discrete type of
drop-profile.
All levels
Fill level
Percentage of queue buffer fullness of high packets after which high packets
are dropped.
All levels
Scheduler
Name of the scheduler.
All levels
Transmit rate
Transmission rate of the scheduler.
All levels
Buffer size
Delay buffer size in the queue.
All levels
Drop profiles
Drop profiles configured for the specified scheduler.
All levels
Protocol
Transport protocol corresponding to the drop profile.
All levels
Name
All levels
Queues supported
Number of queues that can be configured on the interface.
All levels
Queues in use
Number of queues currently configured.
All levels
Physical interface
All levels
Scheduler map
Name of the scheduler map.
All levels
Index
Internal index of a specific object.
All levels
show class-of- service
user@switch> show class-of-service

Forwarding class
best-effort
assured-forwarding
network-control
ID
0
1
2
3
Queue
0
5
1
7
Code point type: dscp

Alias
Bit pattern
af11
001010
af12
001100
...
...
Code point type: ieee-802.1
Alias
Bit pattern
af11
010
...
...
Code point type: inet-precedence
Alias
Bit pattern
af11
001
1449
...
...
Classifier: dscp-default, Code point type: dscp, Index: 7

Code point
Forwarding class
Loss priority
000000
best-effort
low
000001
best-effort
low
...
...
...
Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
network-control
low
111
network-control
low
Classifier: ipprec-default, Code point type: inet-precedence, Index: 12
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
network-control
low
111
network-control
low
Classifier: ieee8021p-untrust, Code point type: ieee-802.1, Index: 16
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
best-effort
low
111
best-effort
low
Rewrite rule: dscp-default, Code point type: dscp, Index:
Forwarding class
Loss priority
best-effort
low
best-effort
high
low
high
assured-forwarding
low
assured-forwarding
high
network-control
low
network-control
high
27
Code point
000000
000000
101110
101110
001010
001100
110000
111000
Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 30

Forwarding class
Loss priority
Code point
best-effort
low
000
best-effort
high
001
low
100
high
101
assured-forwarding
low
010
assured-forwarding
high
011
network-control
low
110
1450
network-control
high
111
Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 31

Forwarding class
Loss priority
Code point
best-effort
low
000
best-effort
high
000
low
101
high
101
assured-forwarding
low
001
assured-forwarding
high
001
network-control
low
110
network-control
high
111
Drop profile:<default-drop-profile>, Type: discrete, Index: 1
Fill level
100
Scheduler map: <default>, Index: 2
Scheduler: <default-be>, Forwarding class: best-effort, Index: 20
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
Scheduler: <default-nc>, Forwarding class: network-control, Index: 22
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
High
non-TCP
1
High
TCP
1
...
...
...
Fabric priority: low

Scheduler: <default-fabric>, Index: 23
Drop profiles:
Loss priority
Protocol
Index
High
non-TCP
1
High
TCP
1
Name
Fabric priority: high

Scheduler: <default-fabric>, Index: 23
Drop profiles:
Loss priority
Protocol
Index
High
non-TCP
1
High
TCP
1
Name
1451
show pfe statistics traffic

Syntax
Command introduced in JUNOS Release 9.5 for EX-series switches.
Release Information
Display the packet forwarding engine traffic statistics.
Description
noneDisplay statistics about all the traffic handled by the packet forwarding engine.
Options
admin
show pfe statistics traffic on page 1453
Table 195 on page 1452 lists the output fields for the show pfe statistics traffic
Output Fields
Table 195: show pfe statistics traffic Output Fields

Field Name
Field Description
Packet Forwarding
Engine Traffic statistics
Information about Packet Forwarding Engine traffic:
Packet Forwarding
Engine Local Traffic
statistics
1452
Input PacketsNumber and rate of input packets.
Output PacketsNumber and rate of output packets.
Information about Packet Forwarding Engine local traffic:
Local packets inputNumber of local input packets.
Local packets outputNumber of local output packets.
Software input high dropsNumber of software input high-priority drops.
Software input medium dropsNumber of software input medium-priority drops.
Software input low dropsNumber of software input low-priority drops.
Software output dropsNumber of software output drops.
Hardware input dropsNumber of hardware input drops.
Table 195: show pfe statistics traffic Output Fields (continued)

Field Name
Field Description
Packet Forwarding
Engine Local Protocol
statistics
Information about the Packet Forwarding Engine Local Protocol:
HDLC keepalivesNumber of HDLC keepalive packets.
ATM OAMNumber of Asynchronous Transfer Mode (ATM) Operation, Administration, and
Maintenance (OAM) packets.
Frame Relay LMINumber of Frame Relay Local Management Interface (LMI) packets.
PPP LCP/NCPNumber of Point-to-Point Protocol (PPP) Link Control Protocol (LCP) or Network
Control Protocol (NCP) packets.
Packet Forwarding
Engine Hardware
Discard statistics
show pfe statistics

traffic
OSPF helloNumber of Open Shortest Path First (OSPF) hello packets.
OSPF3 helloNumber of Open Shortest Path First version 3 (OSPFv3) hello packets.
RSVP helloNumber of Reservation Setup Protocol (RSVP) hello packets.
LDP helloNumber of Label Distribution Protocol (LDP) hello packets.
BFDNumber of Bidirectional Forwarding Detection Protocol (BFD) hello packets.
IS-IS IIHNumber of Intermediate System-to-Intermediate System Hello (IIH) packets.
LACPNumber of Link Aggregation Control Protocol (LACP) packets.
ARPNumber of Address Resolution Protocol (ARP) packets.
ETHER OAMNumber of Ethernet Operations, Administration, and Management (OAM) packets.
UnknownNumber of unknown packets not matching any of the packet types listed above.
Information about Packet Forwarding Engine hardware discards:
TimeoutNumber of packets discarded because of timeouts.
Truncated keyNumber of packets discarded because of truncated keys.
Bits to testNumber of bits to test.
Data errorNumber of packets discarded because of data errors.
Stack underflowNumber of packets discarded because of stack underflows.
Stack overflowNumber of packets discarded because of stack overflows.
Normal discardNumber of packets discarded because of discard routes.
Extended discardNumber of packets discarded because of illegal next hops.
Invalid interfaceNumber of packets discarded because of invalid incoming interfaces.
Info cell dropsNumber of information cell drops.
Fabric dropsNumber of fabric drops.
user@host> show pfe statistics traffic

Packet Forwarding Engine traffic statistics:
Input packets:
102682
Output packets:
58033
Packet Forwarding Engine local traffic statistics:
Local packets input
:
Local packets output
:
Software input control plane drops :
Software input high drops
:
Software input medium drops
:
Software input low drops
:
Software output drops
:
Hardware input drops
:
Packet Forwarding Engine local protocol statistics:
5 pps
4 pps
44628
46146
0
0
0
0
0
0
1453
HDLC keepalives
:
0
ATM OAM
:
0
Frame Relay LMI
:
0
PPP LCP/NCP
:
5597
OSPF hello
:
3195
OSPF3 hello
:
0
RSVP hello
:
0
LDP hello
:
7478
BFD
:
0
IS-IS IIH
:
0
LACP
:
0
ARP
:
0
ETHER OAM
:
0
Unknown
:
8
Packet Forwarding Engine hardware discard statistics:
Timeout
:
0
Truncated key
:
0
Bits to test
:
0
Data error
:
0
Stack underflow
:
0
Stack overflow
:
0
Normal discard
:
0
Extended discard
:
0
Invalid interface
:
0
Info cell drops
:
0
Fabric drops
:
0
Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error
statistics:
Input Checksum
:
0
Output MTU
:
0
1454
show pfe statistics traffic cpu

Syntax
Release Information
Description
show pfe statistics traffic cpu <fpc fpc-slot>

Display count of multidestination packets ingressing from the physical interface to
the CPU.
NOTE: Multidestination packets include unknown unicast, broadcast, and multicast

packets.
Options
noneDisplays the count of packets ingressing from all the physical interfaces (line
cards) to the CPU.

fpc fpc-slot (Optional) Displays the count of packets ingressing from the physical
interface, referred to by the slot number, to the CPU.

On an EX8200 switch, the FPC slot number is the slot number for the line card.
Possible values are 0 through 7 on the EX8208 switch and 0 through 15 on the
EX8216 switch.
Related Topics

Output Fields
view
show pfe statistics traffic multicast
show pfe statistics traffic egress-queues
show interfaces queue
show pfe statistics traffic cpu (EX8208 Switch) on page 1456

Table 196 on page 1455 lists the output fields for the show pfe statistics traffic cpu
Table 196: show pfe statistics traffic cpu Output Fields

Field Name
Field Description
Queue
CoS queue number.
Forwarding classes
Forwarding class name.
Queued Packets
Number of packets queued to this queue.
Queued Bytes
Number of bytes queued to this queue.
1455
Table 196: show pfe statistics traffic cpu Output Fields (continued)
Field Name
Field Description
Packets
Number of packets transmitted by this queue.
Bytes
Number of bytes transmitted by this queue.
Tail-dropped packets
Count of packets dropped at the tail end of the queue because of lack of buffer space.
RED-dropped packets
Number of packets dropped because of Random Early Discard (RED):
RED-dropped bytes
show pfe statistics

traffic cpu (EX8208
Switch)
1456
LowNumber of low-loss priority packets dropped because of RED.
HighNumber of high-loss priority packets dropped because of RED.
Number of bytes dropped because of Random Early Discard (RED):
LowNumber of low-loss priority bytes dropped because of RED.
HighNumber of high-loss priority bytes dropped because of RED.
user@switch> show pfe statistics traffic cpu

Queue: 0, Forwarding classes: best-effort
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
RED-dropped packets :
0
Low
:
0
High
:
0
Queue: 1, Forwarding classes: expedited-forwarding
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 2, Forwarding classes: assured-forwarding
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0 bps
0 bps
0 bps
Low
:
High
:
Queue: 3, Forwarding classes: network-control
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
Low
:
High
:
Queue: 4
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
Low
:
High
:
Queue: 5
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
Low
:
High
:
Queue: 6
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
Low
:
High
:
Queue: 7
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
0
0
0
0 pps
0 pps
0 pps
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
bps
bps
bps
pps
pps
pps
bps
bps
bps
pps
pps
pps
bps
bps
bps
pps
pps
pps
0 bps
0 bps
0 bps
1457
RED-dropped packets
Low
High
1458
:
:
:
0
0
0
0 pps
0 pps
0 pps

Syntax
Release Information
Description
show pfe statistics traffic egress-queues <fpc fpc-slot>

Display count of multidestination packets dropped on egress ports when the egress
queues are oversubscribed due to multidestination traffic.

packets.
Options
noneDisplays count of packets dropped on egress ports of all physical interfaces
(line cards) when egress queues are oversubscribed due to multidestination

traffic.
fpc fpc-slot (Optional) Displays count of packets dropped on egress ports of the
physical interface (line card) referred to by the slot number.
NOTE: On an EX8200 switch, the FPC slot number is the slot number for the line
card. Possible values are 0 through 7 on the EX8208 switch and 0 through 15 on the
EX8216 switch.

Related Topics

Output Fields
view
show pfe statistics traffic egress-queues fpc 4 (EX 8208 Switch) on page 1460
Table 196 on page 1455 lists the output fields for the show pfe statistics traffic
egress-queues command. Output fields are listed in the approximate order in which
they appear.
Table 197: show pfe statistics traffic egress-queues Output Fields

Field Name
Field Description
Number of arriving packets dropped because the output queue buffers are full.
1459
show pfe statistics

traffic egress-queues fpc
4 (EX 8208 Switch)
1460
user@switch> show pfe statistics traffic egress-queues fpc 4

0

Syntax
Release Information
Description
show pfe statistics traffic multicast <fpc fpc-slot>

Display class-of-service (CoS) queue information for multidestination traffic on a
physical interface (line card).

packets.
NOTE: To view statistical information for unicast traffic, use the show interfaces queue
command.
Options
fpc fpc-slot (Optional) Displays class-of-service (CoS) queue information for
multidestination traffic on the physical interface (line card) referred to by the

slot number.
NOTE: On an EX8200 switch, the FPC slot number is the slot number for the line
card. Possible values are 0 through 7 on the EX8208 switch and 0 through 15 on the
EX8216 switch.

Related Topics

Output Fields
view
show pfe statistics traffic multicast fpc 0 (EX8208 Switch) on page 1462
Table 196 on page 1455 lists the output fields for the show pfe statistics traffic multicast
Table 198: show pfe statistics traffic multicast Output Fields

Field Name
Field Description
Queue
CoS queue number.
1461
Table 198: show pfe statistics traffic multicast Output Fields (continued)
Field Name
Field Description
Forwarding classes
Forwarding class name.
Queued Packets
Number of packets queued to this queue.
Queued Bytes
Number of bytes queued to this queue.
Packets
Number of packets transmitted by this queue.
Bytes
Number of bytes transmitted by this queue.
Count of packets dropped at the tail end of the queue because of lack of buffer space.
RED-dropped packets
Number of packets dropped because of Random Early Discard (RED):
Multicast Replication Engine-dropped

packets
1462
LowNumber of low-loss priority packets dropped because of RED.
HighNumber of high-loss priority packets dropped because of RED.
Number of bytes dropped because of Random Early Discard (RED):
RED-dropped bytes
show pfe statistics

traffic multicast fpc 0
(EX8208 Switch)
LowNumber of low-loss priority bytes dropped because of RED.
HighNumber of high-loss priority bytes dropped because of RED.
Egress packets dropped by the PFE because none of the ports on the physical interface
are needed to forward the packet.
user@switch> show pfe statistics traffic multicast fpc 0

Queue: 0, Forwarding classes: best-effort
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 1, Forwarding classes: expedited-forwarding
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
Queue: 2, Forwarding classes: assured-forwarding

Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 4
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 5
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
High
:
0
Queue: 6
Packets
: Not Available
Bytes
: Not Available
Packets
:
0
Bytes
:
0
0
RED-dropped bytes
:
0
Low
:
0
High
:
0
0
Low
:
0
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
0 pps
0 bps
0
0
0
0
0
bps
bps
bps
pps
pps
1463
High
:
Queue: 7
Packets
: Not Available
Bytes
: Not Available
Packets
:
Bytes
:
RED-dropped bytes
:
Low
:
High
:
Low
:
High
:
Multicast Replication Engine-dropped packets :
1464
0 pps
0
0
0
0
0
0
0
0
0
0 pps
0 pps
0 bps
0
0
0
0
0
0
bps
bps
bps
pps
pps
pps
Part 15
PoE
Understanding PoE on page 1467
Examples of Configuring PoE on page 1471
Configuring PoE on page 1479
Verifying PoE on page 1483
Configuration Statements for PoE on page 1485
Operational Mode Commands for PoE on page 1495
PoE
1465
1466
PoE
Chapter 75
Understanding PoE
PoE and EX Series Switches Overview

Power over Ethernet (PoE) is the implementation of IEEE 802.3af, allowing both data
and electric power to pass over a copper Ethernet LAN cable. This technology allows
VoIP telephones, wireless access points, video cameras, and point-of-sale devices to
safely receive power from the same access ports that are used to connect personal
computers to the network.
This topic covers:
PoE and Power Supply Units in EX Series Switches on page 1467
Power Management Mode on page 1468
Classes of Powered Devices on page 1468
Global and Specific PoE Parameters on page 1469
PoE and Power Supply Units in EX Series Switches

Juniper Networks EX Series Ethernet Switch models provide either 8, 24, or 48 PoE
ports. The total number of PoE ports for an EX Series switch can be extended by
inserting additional PoE cards.
Power supply units with three different power capacities are available for use with
the EX Series switches:
320-W power supply unit: Supports 8 ports of PoE power at 15.4 W per port,
plus system power.
plus system power.
plus system power.
NOTE: PoE is not supported on a switch using DC power.
1467
All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if
you follow the recommended guidelines for selecting power supply units to support
the number of PoE ports, the switch should be able to supply power to all connected
powered devices. If you install a higher capacity power supply unit on a switch model
that has only 8 PoE ports, it does not extend PoE capabilities to the non-PoE ports.
Power Management Mode

You can use the power management mode to determine the number of interfaces
that can be provided with power. The following two factors constitute the power
management mode:
Per port limit (PPL)The factor that decides the maximum power consumption
permitted on a particular interface. If the power consumption by the powered
device exceeds the specified value, PoE is shut down over that interface.
Power allocated for each interfaceThe factor that ensures that a certain amount
of power is reserved for an individual interface from the total power budget for
all interfaces. If at any point the total of the allocated power for all interfaces
exceeds the total budget, the lower priority interfaces are turned off and the
power allocated for those interfaces drops to 0.
There are two modes of power management:
StaticIn this mode the power allocated for each interface can be configured.
The PPL value is the maximum value configured per interface.
ClassIn this mode the power allocation for interfaces is determined based on
the class of powered device connected. PPL is the maximum power value of the
class of the powered device connected to the interface. The power allocated per
interface is the maximum power of the powered device class, except for classes
0 and 3. For class 0 and class 3 powered devices, the momentary power
consumption is considered as the power allocated for that interface. Therefore,
PPL and power allocated per interface values change based on the powered
device connected to the interface.
Classes of Powered Devices

A powered device is classified based on the maximum power that it draws across
all input voltages and operational modes. The most common class is 0, in which the
switch allows a maximum draw of 15.4 W per port. The switch provides 15.4 W at
the port in order to guarantee enough power to run a device, after accounting for
line loss. For example, 15.4 W - power loss (16%) = 12.95 W. Table 199 on page
1468 lists the classes of powered devices and associated power levels.
Table 199: Class of Powered Device and Power Levels
Class
Usage
Minimum Power Levels Output

from PoE Port
Range of Maximum Power required by the

Powered Device
Default
15.4 W
0.44 through 12.95 W
Optional
4.0 W
0.44 through 3.84 W
1468
Chapter 75: Understanding PoE
Table 199: Class of Powered Device and Power Levels (continued)

Class
Usage
Minimum Power Levels Output

from PoE Port
Range of Maximum Power required by the

Powered Device
Optional
7.0 W
Optional
15.4 W
Global and Specific PoE Parameters

All EX Series switches with PoE ports have a PoE controller. The PoE controller keeps
track of the switch's power consumption and distributes the available power to
individual PoE ports. You can set the PoE controller to reserve a limited amount of
power (up to 19 W) to handle a power spike. The default is that no power is kept on
reserve.
The factory default configuration creates a PoE interface for all the PoE ports on the
switch. You can specify maximum power, priority, and telemetries for each PoE
interface.
Related Topics
maximum-powerThis setting defaults to 15.4 W. If you follow the recommended

guidelines for the installed power supply unit (see Table 199 on page 1468), the
switch should be able to provide sufficient power for all PoE ports using the
default power setting.
priorityThis setting defaults to low. If a port is set as high priority and a situation
arises where there is not sufficient power for all the PoE ports, the available
power is directed to the higher priority port(s). If the switch needs to shut down
powered devices because a power supply fails and there is insufficient power,
low priority devices are shut before high priority powered devices. Thus, security
cameras, emergency phones, and other high priority phones should be set to
high priority.
telemetriesThis setting allows you to monitor per port PoE power consumption.
It is not included in the default PoE configuration.

Switch on page 1474
1469
1470
Chapter 76

Switch on page 1474
Example: Configuring PoE Interfaces on an EX Series Switch

All EX Series switches except the EX4200-24F model provide Power over Ethernet
(PoE) ports. The PoE ports supply electric power over the same ports that are used
to connect network devices and allow you to plug in devices that require both network
connectivity and electric power, such as VoIP phones, wireless access points, and
some IP cameras. The factory default configuration specifies PoE interfaces for the
PoE ports. Therefore, you do not need to configure PoE unless you wish to modify
the default values or disable a specific PoE interface.
This example describes a default configuration of PoE interfaces on an EX Series
switch:
Requirements
One EX4200 switch
Before you configure PoE, be sure you have:
Example: Configuring PoE Interfaces on an EX Series Switch
1471

EX Series Switch (CLI Procedure) on page 79 or Connecting and Configuring
an EX Series Switch (J-Web Procedure) on page 81 for details.

total of 24 ports. Eight of the ports support PoE, which means they provide both
network connectivity and electric power for devices such as VoIP phones, wireless
access points, and some IP security cameras. The remaining 16 ports provide only
network connectivity. You use the standard ports to connect devices that have their
own power sources, such as desktop and laptop computers, printers, and servers.
Table 200 on page 1472 details the topology used in this configuration example.
Table 200: Components of the PoE Configuration Topology
Property
Settings
Switch hardware
EX4200-E-24T switch, with 24 Gigabit Ethernet ports: 8

PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE
ports (ge-0/0/8 through ge-0/0/23)
VLAN name
default
Connection to a wireless access point (requires PoE)
ge-0/0/0
Connections to Avaya IP telephonewith integrated hub, to connect

phone and desktop PC to a single port (requires PoE)
Direct connections to desktop PCs, file servers, integrated

printer/fax/copier machines (no PoE required)
Configuration
To enable the default PoE configuration on the switch:
By default, PoE interfaces are created for all PoE ports and PoE is enabled. You can
simply connect powered devices to the PoE ports.
To use the PoE interfaces with default values:
1472
1.
Make sure the switch is powered on.
2.
Connect the wireless access point to switch port ge-0/0/0.
3.
Connect the eight Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
Chapter 76: Examples of Configuring PoE
Verification
To verify that PoE interfaces have been created and are operational, perform this
task:
Verifying That the PoE Interfaces Have Been Created on page 1473
Verifying That the PoE Interfaces Have Been Created

Purpose
Action
Verify that the PoE interfaces have been created on the switch.
List all the PoE interfaces configured on the switch:
user@switch>
show poe interface
Interface
ge-0/0/0
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
Meaning
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
status
ON
ON
ON
ON
ON
ON
ON
ON
max-power
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
priority
Low
Low
Low
Low
Low
Low
Low
Low
power-consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
interfaces have been created with default values and are consuming power at the
expected rates.
Troubleshooting
Troubleshooting PoE Interfaces
Problem
The PoE port is not supplying power to the port.
Solution
Check for the following:
Items to Check
Explanation
Is the switch a full PoE model or partial PoE?
If you are using a partial PoE model, only interfaces ge-0/0/0

through ge-0/0/7 can function as PoE ports.
Has the PoE interface been disabled for that port?
Use the show poe interface command to check PoE interface

status.
Is the cable properly seated in the port socket?
Check the hardware.
Enable telemetries for the interface.
Check the history of power consumption on the interface by

using the show poe telemetries interface command.
Verification
1473
Related Topics

Switch on page 1474

Switch
EX Series switches provide Power over Ethernet (PoE) ports, which supply electric
power over the same ports that are used to connect network devices. These ports
allow you to plug in devices that need both network connectivity and electric power,
such as VoIP phones, wireless access points, and some IP cameras. You can configure
a particular PoE interface to have a high priority setting. If a port is set as high priority
and a situation arises where there is not sufficient power for all the PoE ports, the
available power is directed to the higher priority ports. If the switch needs to shut
down powered devices because a power supply fails and there is insufficient power,
low priority devices are shut down before high priority powered devices. Thus,
security cameras, emergency phones, and other high priority phones should be set
to high priority.
This example describes how to configure a few high priority PoE interfaces for an
EX Series switch (by default, interfaces are set to low priority):
Requirements
One EX4200 switch
Before you configure PoE, be sure you have:

EX Series Switch (CLI Procedure) on page 79 or Connecting and Configuring
an EX Series Switch (J-Web Procedure) on page 81 for details.

total of 24 ports. Eight of the ports support PoE, which means they provide both
network connectivity and electric power for devices such as VoIP telephones, wireless
1474
Example: Configuring PoE Interfaces with Different Priorities on an EX Series Switch
access points, and some IP security cameras. The remaining 16 ports provide only
network connectivity. You use the standard ports to connect devices that have their
own power sources, such as desktop and laptop computers, printers, and servers.
Table 201 on page 1475 details the topology used in this configuration example.
Table 201: Components of the PoE Configuration Topology
Property
Settings
Switch hardware
EX4200E-24T switch, with 24 Gigabit Ethernet ports: 8

PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE
ports (ge-0/0/8 through ge-0/0/23)
VLAN name
default
Connection to a wireless access point (requires PoE)
ge-0/0/0
Security IP Cameras (require PoE)
ge-0/0/1 and ge-0/0/2 high
Emergency VoIP phone (requires PoE)
ge-0/0/3 high
VoIP phone in Executive Office (requires PoE)
ge-0/0/4 high
Other VoIP phones (require PoE)
Direct connections to desktop PCs, file servers, integrated

printer/fax/copier machines (no PoE required)
Configuration
Configure Power over Ethernet Interfaces:
By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default
priority for PoE interfaces is low.
To quickly configure PoE with some interfaces set to high priority and others to the
default low priority, and to include a description of the interfaces, copy the following
[edit]
set poe interface ge-0/0/1 priority
set poe interface all
set interfaces ge-0/0/0 description
high
high
high
high
telemetries
telemetries
telemetries
telemetries
"wireless access point"

"security camera front door"
"security camera back door"
"emergency phone"
"Executive Office VoIP phone"
"staff VoIP phone"
"staff VoIP phone"
"staff VoIP phone"
Configuration
1475
To configure PoE interfaces with different priorities:

1.
Configure the PoE interfaces at the [edit poe] hierarchy level with some interfaces
set to high priority and others to the default low priority, thus enabling the
logging of per-port power consumption for the high priority ports.
[edit poe]
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#
2.
set
set
set
set
set
interface
interface
interface
interface
interface
priority
priority
priority
priority
high
high
high
high
telemetries
telemetries
telemetries
telemetries
Specify a description for the PoE interfaces:

[edit interfaces]
Results
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
all
description
description
description
description
description
description
description
description
"wireless access point"

"security camera front door"
"security camera back door"
"emergency phone"
"Executive Office VoIP phone"
"staff VoIP phone"
"staff VoIP phone"
"staff VoIP phone"
3.
Connect the wireless access point to switch interface ge-0/0/0. This interface
is PoE-enabled for the default settings based on the factory configuration.
Telemetries are not enabled.
4.
Connect the two security cameras to switch interfaces ge-0/0/1 and ge-0/0/2.
These interfaces are set to high priority with telemetries enabled.
5.
Connect the emergency VoIP phone to switch interface ge-0/0/3. This interface
is set to high priority with telemetries enabled.
6.
Connect the Executive Office VoIP phone to switch interface ge-0/0/4. This
interface is set to high priority with telemetries enabled.
Connect the staff VoIP phones to switch interfaces ge-0/0/5 through ge-0/0/7. These
interfaces are set to the default values. Telemetries are not enabled.
Verification
To verify that PoE interfaces have been created and are operational, perform the
following tasks:
Verifying That the PoE Interfaces Have Been Created with Desired
Priorities on page 1476
Verifying That the PoE Interfaces Have Been Created with Desired Priorities
Purpose
1476
Verification
Verify that the PoE interfaces on the switch are now set to the desired priority settings.
Action

user@switch>
show poe interface
Interface
ge-0/0/0
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
Meaning
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Status
ON
ON
ON
ON
ON
ON
ON
OFF
Max-Power
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
Priority
Low
High
High
High
Low
Low
Low
Low
Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0
their status, priority, power consumption, and class. This output shows that eight
PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as
priority high. The remaining interfaces are configured with the default values.
Troubleshooting
Problem
The PoE port is not supplying power to the port.
Solution
Check for the following:
Items to Check
Explanation
Is the switch a full PoE model or partial PoE?
If you are using a partial PoE model, only interfaces ge-0/0/0

through ge-0/0/7 can function as PoE ports.
Has the PoE interface been disabled for that port?
Use the show poe interface command to check PoE interface

status.
Is the cable properly seated in the port socket?
Check the hardware.
Enable telemetries for the interface.
Check the history of power consumption on the interface by

using the show poe telemetries interface command.
Related Topics
Troubleshooting
1477
1478
Chapter 77
Configuring PoE
Configuring PoE (CLI Procedure)

EX Series switch models provide either 8, 24, or 48 PoE ports, which supply electric
allow you to plug in devices that require both network connectivity and electric
power, such as VoIP phones, wireless access points, and some IP cameras.
The factory default configuration for EX Series switches specifies and enables PoE
interfaces for the PoE ports.
To configure PoE using the CLI:
1.
Enable PoE:
For all PoE interfaces:

[edit]
user@switch# set poe interface all
For a specific PoE interface:

[edit]
user@switch# set poe interface ge-0/0/0
2.
By default the power management mode is static. To change the power

management mode to class:
[edit]
user@switch# set poe management class
NOTE: When the power management mode is set to class, the maximum power
value is overridden by the maximum power value of the class of power device
connected.
1479
3.
Set the power priority:

[edit]
user@switch# set poe interface all priority low

[edit]
user@switch# set poe interface ge-0/0/0 priority high
4.
Set the maximum PoE wattage available (the default is 15.4):

[edit]
user@switch# set poe interface all maximum-power 14

[edit]
user@switch# set poe interface ge-0/0/0 maximum-power 12.8
5.
Enable logging of PoE power consumption with the default telemetries settings:

[edit]
user@switch# set poe interface all telemetries

[edit]
user@switch# set poe interface ge-0/0/0 telemetries
6.
Reserve a specified wattage of power for the switch in case of a spike in PoE
consumption (the default is 0):
[edit]
user@switch# set poe guard-band 15
Related Topics
1480

Switch on page 1474
Monitoring PoE on page 1483
Chapter 77: Configuring PoE
Configuring PoE (J-Web Procedure)

EX Series switch models provide either 8, 24, or 48 PoE ports, which supply electric
allow you to plug in devices that require both network connectivity and electric
power, such as VoIP phones, wireless access points, and some IP cameras. Using
the Power over Ethernet (PoE) configuration page, you can modify the settings of all
interfaces that are PoE-enabled.
To modify PoE settings:
1.
In the Configure menu, select Power over Ethernet.

The page displays a list of all interfaces except uplink ports. Specific operational
details about an interface are displayed in the Details section of the page. The
details include the PoE Operational Status and Port class.
2.
Click one:
Edit Changes PoE settings for the selected port as described in Table 202
on page 1481.
System Settings Modifies general PoE settings as described in Table 203
on page 1481.
Table 202: PoE Edit Settings

Field
Description
Your Action
Enable PoE
Specifies that PoE is enabled on the interface.
Select this option to enable PoE on the

interface.
Priority
Lists the power priority (Low or High) configured on

ports enabled for PoE.
Set the priority as High or Low.
Maximum Power
Specifies the maximum PoE wattage available to

provision active PoE ports on the switch.
Select a value in watts. If no value is

specified, the default is 15.4.
Table 203: System Settings

Field
Description
Your Action
PoE Management
Specifies the power management mode. The options are:

static and class.
By default the power management mode

is static. Select class to change the power
management mode.
NOTE: When the power management mode is set to class,

the maximum power value is overridden by the maximum
power value of the class of power device that is connected
to the switch on the PoE port.
Guard Band
(watts)
Specifies the band to control power availability on the

switch.
Enter a value to set the guard band value

in watts. The default value is 0.
1481
Related Topics
1482

Switch on page 1474
Chapter 78
Verifying PoE
Verifying Status of PoE Interfaces on an EX Series Switch on page 1484
Monitoring PoE
Purpose
Action
Use the monitoring functionality to view real-time data of the power consumed by
each PoE interface, and to enable and configure Telemetries values. When Telemetries
is enabled, the software measures the power consumed by each interface and stores
the data for future reference.
To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet.
To monitor PoE using the CLI:
To display the real-time PoE status for all PoE interfaces, enter show poe interface
.
To display the real-time PoE status for a specific PoE interface, enter show poe
interface interface-name .
The show poe interface command displays the power consumption of the interface
at the moment that the command is issued.
To monitor the PoE interface's power consumption over a period of time, you can
enable telemetries for the interface with the telemetries configuration statement.
When Telemetries is enabled, you can display the log of the interface's power
consumption by using the CLI command:
show poe telemetries interface interface-name all| x
Meaning
In the J-Web interface the PoE Monitoring screen is divided into two parts. The top
half of the screen displays real-time data of the power consumed by each interface
and a list of ports that utilize maximum power.
Select a particular interface to view a graph of the power consumed by the selected
interface.
The bottom half of the screen displays telemetries values for interfaces. The telemetry
status displays whether telemetry has been enabled on the interface. Click the Show
Graph button to view a graph of the telemetries. The graph can be based on power
or voltage. To modify telemetries values, click Edit. Specify Interval in minutes,
Monitoring PoE
1483
Duration in hours, and select Log Telemetries to enable telemetries on the selected
interface.
Related Topics

Switch on page 1474
Verifying Status of PoE Interfaces on an EX Series Switch on page 1484
Verifying Status of PoE Interfaces on an EX Series Switch

Purpose
Action
Verify that the PoE interfaces on the switch are enabled and set to the desired priority
settings.
user@switch> show poe interface
Interface Enabled Status Max-Power
ge-0/0/0
Enabled
ON
15.4W
ge-0/0/1
Enabled
ON
15.4W
ge-0/0/2
Enabled
ON
15.4W
ge-0/0/3
Enabled
ON
15.4W
ge-0/0/4
Enabled
ON
15.4W
ge-0/0/5
Enabled
ON
15.4W
ge-0/0/6
Enabled
ON
15.4W
ge-0/0/7
Enabled
OFF
15.4W
Meaning
Related Topics
1484
Priority
Low
High
High
High
Low
Low
Low
Low
Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0
their status, priority, power consumption, and class. This command has been executed
on a switch with partial PoE (8 PoE ports). The output shows that all eight PoE
interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority
high. The remaining interfaces were configured with the default values.

Switch on page 1474
Verifying Status of PoE Interfaces on an EX Series Switch
Chapter 79
Configuration Statements for PoE
[edit poe] Configuration Statement Hierarchy on page 1485

poe {
guard-band watts;
disable;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
management type;
}
Related Topics

Switch on page 1474
1485
disable
Syntax
Hierarchy Level
Release Information
Description
disable;
[edit poe interface (all | interface-name)],
[edit poe interface (all | interface-name) telemetries]

Disables the PoE capabilities of this port. The port operates as a standard network
access port. If the disable statement is specified after the telemetries statement, it
disables the logging of PoE power consumption for this port.
To disable the monitoring and retain the stored configuration values for interval and
duration for possible future use, you can specify the disable substatement in the
substanza for telemetries.
Default

Related Topics
1486
disable
The PoE capabilities are automatically enabled when a PoE interface is set. If the
telemetries statement is specified, monitoring of PoE per-port power consumption
is enabled.

Switch on page 1474
Chapter 79: Configuration Statements for PoE
duration
Syntax
Hierarchy Level
Release Information
Description
Options
duration hours;

Modify the duration for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
hours Hours the logging continues.
Range: 1 through 24 hours

Default: 1 hour
Related Topics


Switch on page 1474
duration
1487
guard-band
Syntax
Hierarchy Level
Release Information
Description
guard-band watts;
[edit poe]

Reserve the specified amount of power for the switch in case of a spike in PoE
consumption.
Default
0W
Options
watts Amount of power to be reserved for the switch in case of a spike in PoE
consumption.
Range: 0 through 19 W
Default: 0 W
Related Topics
1488
guard-band
routerTo view this statement in the configuration.

router-controlTo add this statement to the configuration.

Switch on page 1474
interface
Syntax
Hierarchy Level
Release Information
Description

disable;
priority value;
telemetries {
disable;
interval minutes;
duration hours;
}
}
[edit poe]

Enable a PoE interface for a PoE port. An interface must be enabled in order for the
port to provide power to a connected powered device.
Default
The PoE interface is enabled by default.
Options

interface-name Name of the specific interface.

Related Topics


Switch on page 1474
interface
1489
interval
Syntax
Hierarchy Level
Release Information
Description
Options
interval minutes;

Modify the interval for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
minutes Frequency of logging.
Range: 1 through 30 minutes

Default: 5 minutes
Related Topics
1490
interval


Switch on page 1474
management
Syntax
Hierarchy Level
Release Information
Description
management type;
[edit poe]

class option introduced in JUNOS Release 9.3 for EX Series switches.
Designate the way that the switch's PoE controller allocates power to the PoE ports.
Default
static
Options
type Management type:
classThe power available for the interface is determined based class of powered
device connected. See section Classes of Powered Devices in PoE and EX Series
Switches Overview on page 1467 for more information.
staticThe switch reserves a certain amount of power for the PoE port even
when a powered device is not connected to the port. This setting ensures that
power is available when needed.
Related Topics
routerTo view this statement in the configuration.

router-controlTo add this statement to the configuration.

Switch on page 1474
management
1491
maximum-power
Syntax
Hierarchy Level
Release Information
Description
[edit poe interface (all | interface-name)]

Maximum amount of power that can be supplied to the port.
Default
15.4 W
Options
watts
Range: 0 through 15.4

Default: 15.4 W
Related Topics
1492


Switch on page 1474
maximum-power
priority
Syntax
Hierarchy Level
Release Information
Description
priority value;

Set the priority for shutdown of individual ports when there is insufficient power for
all PoE ports. If a port is set as high priority and a situation arises where there is not
sufficient power for all the PoE ports, the available power is directed to the higher
priority port(s). If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, low priority devices are shut down before
high priority devices.
Default
low
Options
value high or low:
highSpecifies that this port is to be treated as high priority in terms of power
allocation. If there is insufficient power for all the PoE ports, the available power
is directed to this port. If the switch needs to shut down powered devices because
a power supply fails and there is insufficient power, the power is not shut down
on this port until after it has been shut down on all the low priority ports.
lowSpecifies that this port is to be treated as low priority in terms of power
allocation. If there is insufficient power for all the PoE ports, power is not supplied
to this port. If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, the power is shut down on this port
before it is shut down on high priority ports.
Related Topics


Switch on page 1474
priority
1493
telemetries
Syntax
Hierarchy Level
Release Information
Description
telemetries {
disable;
duration hours;
interval minutes;
}

Allows you to log per port PoE power consumption.
If you want to log per-port power consumption, you must explicitly specify the
telemetriesstatement. You can enable telemetries for all the PoE interfaces by setting
poe interface all. However, if you modify the configuration of any individual PoE
interface (for example, to change the priority, you must also specify the telemetries
for that interface in order to maintain the logging. If you do not specify telemetries
for a PoE interface, logging is disabled.
Default

Related Topics
1494
telemetries
If the telemetries statement is specified, logging is enabled with the default values
for interval and duration,

Switch on page 1474
Chapter 80
1495
show poe controller

Syntax
Release Information
Description
Options
show poe controller

<detail | summary>

Display the status of the Power over Ethernet (PoE) software module controller.
noneDisplay general parameters of the PoE software module controller.
detail | summary(Optional) Display the specified level of output.

Related Topics

Output Fields
view
show poe interface

Switch on page 1474
show poe controller on page 1496

Table 204 on page 1496 lists the output fields for the show poe controller command.
Table 204: show poe controller Output Fields

Field Name
Field Description
Ctrl-index
Identifies the controller.
Max-power
Specifies the maximum power that can be provided by the switch to PoE ports.
power-consumption
Specifies the total amount of power being used by the PoE ports, as measured
by the specified telemetries settings.
Guard-band
Specifies the amount of power that has been placed in reserve.
Management
Specifies the management mode. Static is the only management mode

supported.
show poe controller
user@host> show poe controller

Ctrl-index
0
1496
show poe controller
Max-power power-consumption
305 W
0W
Guard-band
15W
Management
Static
Chapter 80: Operational Mode Commands for PoE
show poe interface

Syntax
Release Information
Description
Options
show poe interface <ge-fpc/pic/port>

Display the status of Power over Ethernet (PoE) ports.
noneDisplay status of all PoE ports on the switch.
ge-fpc/pic/port(Optional) Display the status of a specific PoE port on the switch.

Related Topics

Output Fields
view

Switch on page 1474
show status for all poe interfaces on the switch on page 1497
show status for a specific PoE interface on the switch on page 1498
Table 205 on page 1497 lists the output fields for the show poe interface command.
Table 205: show poe interface Output Fields

Field Name
Field Description
PoE Interface
Specifies the interface address.
Enabled
Specifies whether PoE capabilities are enabled or disabled.
status
Specifies whether PoE is currently being provided to the port.
max-power
Specifies the maximum power that can be provided to the port.
priority
Specifies whether the port is high or low priority.
power-consumption
Specifies how much power is being used by the port, as measured by the specified telemetries settings.
Class
Indicates the IEEE 802.af classification that defines the maximum power requirements for a powered device.
show status for all poe

interfaces on the switch
user@host> show poe interface

Interface Enabled status max-power
ge-0/0/1 Enabled OFF
15.4W
12.0W
15.4W
priority
Low
High
Low
power-consumption Class
0.0W
0
0.0W
0
0.0W
0
show poe interface
1497
show status for a

specific PoE interface on
the switch
1498
user@host> show poe interface ge-0/0/3

PoE interface status:
PoE interface
:
PoE capability of the interface
:
Current status of power supply on interface :
Power limit on the interface
:
Priority
:
Power consumed
:
Class of power device
:
show poe interface
ge-0/0/3
Enabled
OFF
12.0W
High
0.0W
0
Chapter 80: Operational Mode Commands for PoE
show poe telemetries interface

Syntax
Release Information
Description
Options
show poe telemetries interface ge-fpc/pic/port all | x

Display a history of power consumption on the specified interface.
ge-fpc/pic/port Display telemetries for the specified PoE interface.
allDisplay all telemetries records for the specified PoE interface.
x Display the specified number of telemetries records for the specified PoE
interface.
Related Topics

Output Fields
view
show poe interface

Switch on page 1474
show poe telemetries interface ( Last 10 Records) on page 1499

show poe telemetries interface (All Records) on page 1500
Table 206 on page 1499 lists the output fields for the show poe telemetries interface
Table 206: show poe telemetries interface Output Fields

Field Name
Field Description
S1 No
Number of the record for the specified port. Record number 1 is the most
recent.
Timestamp
Time that the power-consumption data was gathered.
Power
Amount of power provided by the specified port at the time the data was
gathered.
Voltage
Maximum voltage provided by the specified port at the time the data was
gathered.
show poe telemetries

interface ( Last 10
Records)
user@switch> show poe telemetries

Sl No
Timestamp
1
01-27-2008 18:19:58 UTC
2
01-27-2008 18:18:58 UTC
3
01-27-2008 18:17:58 UTC
4
01-27-2008 18:16:58 UTC
interface ge-0/0/0 10
Power
Voltage
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
1499
5
6
7
8
9
10
show poe telemetries

interface (All Records)
1500
01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008
18:15:58
18:14:58
18:13:58
18:12:57
18:11:57
18:10:57
UTC
UTC
UTC
UTC
UTC
UTC
user@switch> show poe telemetries

Sl No
Timestamp
1
01-27-2008 18:19:58 UTC
2
01-27-2008 18:18:58 UTC
3
01-27-2008 18:17:58 UTC
4
01-27-2008 18:16:58 UTC
5
01-27-2008 18:15:58 UTC
6
01-27-2008 18:14:58 UTC
7
01-27-2008 18:13:58 UTC
8
01-27-2008 18:12:57 UTC
9
01-27-2008 18:11:57 UTC
10
01-27-2008 18:10:57 UTC
11
01-27-2008 18:09:57 UTC
12
01-27-2008 18:08:57 UTC
13
01-27-2008 18:07:57 UTC
14
01-27-2008 18:06:57 UTC
15
01-27-2008 18:05:57 UTC
16
01-27-2008 18:04:56 UTC
17
01-27-2008 18:03:56 UTC
18
01-27-2008 18:02:56 UTC
19
01-27-2008 18:01:56 UTC
20
01-27-2008 18:00:56 UTC
21
01-27-2008 17:59:56 UTC
22
01-27-2008 17:58:56 UTC
23
01-27-2008 17:57:56 UTC
24
01-27-2008 17:56:55 UTC
25
01-27-2008 17:55:55 UTC
26
01-27-2008 17:54:55 UTC
27
01-27-2008 17:53:55 UTC
28
01-27-2008 17:52:55 UTC
29
01-27-2008 17:51:55 UTC
30
01-27-2008 17:50:55 UTC
31
01-27-2008 17:49:55 UTC
32
01-27-2008 17:48:55 UTC
33
01-27-2008 17:47:54 UTC
34
01-27-2008 17:46:54 UTC
35
01-27-2008 17:45:54 UTC
36
01-27-2008 17:44:54 UTC
37
01-27-2008 17:43:54 UTC
38
01-27-2008 17:42:54 UTC
39
01-27-2008 17:41:54 UTC
40
01-27-2008 17:40:54 UTC
41
01-27-2008 17:39:53 UTC
42
01-27-2008 17:38:53 UTC
43
01-27-2008 17:37:53 UTC
44
01-27-2008 17:36:53 UTC
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
51.6V
51.6V
51.6V
51.6V
51.6V
51.6V
interface ge-0/0/0 all

Power
Voltage
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
Part 16
MPLS
Understanding JUNOS MPLS on page 1503
Example of JUNOS MPLS Configuration on page 1511
Configuring JUNOS MPLS on page 1527
Verifying MPLS on page 1539
Configuration Statements for MPLS on page 1543
Operational Mode Commands for MPLS on page 1559
MPLS
1501
1502
MPLS
Chapter 81
JUNOS MPLS for EX Series Switches Overview on page 1503
Understanding JUNOS MPLS Components for EX Series Switches on page 1506
Understanding MPLS and Path Protection on EX Series Switches on page 1510
JUNOS MPLS for EX Series Switches Overview

JUNOS MPLS for Juniper Networks EX Series Ethernet Switches supports Layer 2
protocols and Layer 2 virtual private networks (VPNs). You can configure MPLS on
your switches to increase transport efficiency in your network. MPLS services can
be used to connect various sites to a backbone network or to ensure better
performance for low-latency applications such as VoIP and other business-critical
functions.
JUNOS MPLS for EX Series switches supports RSVP-based label switched paths (LSPs)
and MPLS-based circuit cross-connects (CCCs).
NOTE: MPLS configurations on EX Series switches are compatible with configurations

on other Juniper Networks devices that support MPLS and CCC.
Benefits of MPLS on page 1503
Additional Benefits of MPLS and Traffic Engineering on page 1504
MPLS Label Switched Paths and MPLS Labels on EX Series Switches on page 1504
MPLS Label Operations on EX Series Switches on page 1505
Benefits of MPLS
MPLS has the following advantages over conventional packet forwarding:
Packets arriving on different ports may be assigned different labels.
A packet arriving at a particular provider edge switch may be assigned a different

label than the same packet entering the network at a different provider edge
switch. As a result, forwarding decisions that depend on the ingress provider
edge switch can be easily made.
Sometimes it is desirable to force a packet to follow a particular route that is

explicitly chosen at or before the time the packet enters the network, rather than
1503
being chosen by the normal dynamic routing algorithm as the packet travels
through the network. In MPLS, a label can be used to represent the route so that
the identity of the explicit route need not be carried with the packet.
NOTE: MPLS configurations on EX Series switches do not support:
LDP-based MPLS
Additional Benefits of MPLS and Traffic Engineering

MPLS is the packet-forwarding component of the JUNOS traffic engineering
architecture. Traffic engineering provides the capabilities to do the following:
Route primary paths around known bottlenecks or points of congestion in the

network.
Provide precise control over how traffic is rerouted when the primary path is
faced with single or multiple failures.
Provide more efficient use of available aggregate bandwidth and long-haul fiber
by ensuring that subsets of the network do not become overutilized while other
subsets of the network along potential alternate paths are underutilized.
Maximize operational efficiency.
Enhance the traffic-oriented performance characteristics of the network by

minimizing packet loss, minimizing prolonged periods of congestion, and
maximizing throughput.
Enhance statistically bound performance characteristics of the network (such as

loss ratio, delay variation, and transfer delay) required to support a multiservice
Internet.
For additional information on MPLS traffic protection on EX Series switches, see

Understanding MPLS and Path Protection on EX Series Switches on page 1510.
MPLS Label Switched Paths and MPLS Labels on EX Series Switches

When a packet enters the MPLS network, it is assigned to a label switched path (LSP).
Each LSP is identified by a label, which is a short (20-bit), fixed-length value at the
front of the packet. Labels are used as lookup indexes for the label forwarding table.
For each label, this table stores forwarding information. Because no additional parsing
or lookup is done on the encapsulated packet, MPLS supports the transmission of
any other protocols within the packet payload.
NOTE: MPLS for EX Series switches supports only single-label packets.
1504
Chapter 81: Understanding JUNOS MPLS
MPLS Label Operations on EX Series Switches

In the traditional packet-forwarding paradigm, as a packet travels from one switch
to the next, an independent forwarding decision is made at each hop. The IP network
header is analyzed and the next hop is chosen based on this analysis and on the
information in the routing table. In an MPLS environment, the analysis of the packet
header is made only once, when a packet enters the MPLS tunnel (that is, the path
used for MPLS traffic).
When an IP packet enters an LSP, the ingress provider edge switch examines the
packet and assigns it a label based on its destination, placing the label in the packets
header. The label transforms the packet from one that is forwarded based on its IP
routing information to one that is forwarded based on information associated with
the label. The packet is then forwarded to the next provider switch in the LSP. This
switch and all subsequent switches in the LSP do not examine any of the IP routing
information in the labeled packet. Rather, they use the label to look up information
in their label forwarding table. They then replace the old label with a new label and
forward the packet to the next switch in the path. When the packet reaches the egress
provider edge switch, the label is removed, and the packet again becomes a native
IP packet and is again forwarded based on its IP routing information.
EX Series switches support the following label operations:
Push
Pop
Swap
The push operation affixes a new label to the top of the IP packet. For IPv4 packets,
the new label is the first label. The time to live (TTL) field value in the packet header
is derived from the IP packet header. The push operation cannot be applied to a
packet that has an existing MPLS label.
The pop operation removes a label from the beginning of the packet. Once the label
is removed, the TTL is copied from the label into the IP packet header, and the
underlying IP packet is forwarded as a native IP packet
The swap operation removes an existing MPLS label from an IP packet and replaces
it with a new MPLS label, based on the following:
Incoming interface
Label
Label forwarding table
Figure 78 on page 1506 shows an IP packet without a label arriving on the

customer-edge interface (ge-0/0/1) of the provider edge ingress switch. The provider
edge ingress switch examines the packet and identifies that packets destination is
the provider edge egress switch. The provider edge ingress switch applies label 100
to the packet and sends the MPLS packet to its outgoing MPLS core interface
(ge-0/0/5). The MPLS packet is transmitted on the MPLS tunnel through the provider
switch, where it arrives at interface ge-0/0/5 with label 100. The provider switch
1505
swaps label 100 to label 200 and forwards the MPLS packet through its core interface
(ge-0/0/7) to the next hop on the tunnel, which is the provider edge egress switch.
The provider edge egress switch receives the MPLS packet through its core interface
(ge-0/0/7), removes the MPLS label and sends the IP packet out of its customer-edge
interface (ge-0/0/1) to a destination that is beyond the scope of the tunnel.
Figure 78: MPLS Label Swapping
Figure 78 on page 1506 shows the path of a packet as it passes in one direction from
the provider edge ingress switch to the provider edge egress switch. However, the
MPLS configuration also allows traffic to travel in the reverse direction. Thus, each
provider edge switch operates as both an ingress switch and an egress switch.
Related Topics
Configuring Path Protection in an MPLS Network (CLI Procedure) on page 1527

JUNOS Software VPNs Configuration Guide at

Understanding JUNOS MPLS Components for EX Series Switches

JUNOS MPLS for Juniper Networks EX Series Ethernet Switches supports Layer 2
protocols and Layer 2 virtual private networks (VPNs). You can configure MPLS on
your switches to increase transport efficiency in your network. MPLS services can
be used to connect various sites to a backbone network or to ensure better
performance for low-latency applications such as VoIP and other business-critical
functions.
1506
Provider Edge Switches on page 1507
Provider Switch on page 1508
Components Required for All Switches in the MPLS Network on page 1508
Family MPLS on page 1509
Provider Edge Switches

To implement MPLS on EX Series switches, you must configure two provider edge
switchesthat is, an ingress provider edge switch and an egress provider edge switch.
The ingress switch (the entry point to the MPLS tunnel) receives an IP packet, analyzes
it, and pushes an MPLS label onto it, which places it into a forwarding equivalence
class (FEC) and determines its handling and destination through the MPLS tunnel.
The egress provider edge switch (the exit point from the MPLS tunnel) pops the MPLS
label off of the outgoing packet.
MPLS traffic is bidirectional. So each provider edge switch is both an ingress switch
and an egress switch, depending on the direction of the traffic.
EX Series switches can handle only single-label MPLS packets. If the packet has an
existing MPLS label, the provider edge switch removes the label and swaps it for
another MPLS label.
MPLS Protocol and Label Switched Paths

Each provider edge switch must be configured to support the MPLS protocol, and
the MPLS stanza must include the configuration of a label switched path (LSP) that
specifies the address of the remote provider edge switch.
JUNOS MPLS for EX Series switches supports RSVP-based LSPs.
Circuit Cross-Connect
You must configure the customer-edge interfaces of the provider edge switches as
a circuit cross-connect (CCC), creating a transparent connection between two circuits.
When you configure an interface as a CCC, the interface no longer belongs to a default
VLAN. The interface becomes an MPLS tunnel, used exclusively for MPLS packets.
You can create different CCCs for different customers or for segregating different
traffic streams over different MPLS tunnels.
Using CCC, you can connect the following types of circuits:
Local interface with remote interface or VLAN
Local VLAN with remote interface or VLAN
NOTE: To configure a VLAN circuit as a CCC, you must enable VLAN tagging and
specify a VLAN ID.
MPLS on EX Series switches does not support the following types of CCC
configurations:
Aggregated Ethernet interface (LAG)
Q-in-Q tunneling
1507
Routed VLAN interface (RVI)
Beginning and end of the CCC on the same switch
Provider Switch
You must configure one or more provider switches as transit switches within the
network to support the forwarding of MPLS packets. You can add provider switches
without changing the configuration of the provider edge switches.
A provider switch does not analyze the packets. It refers to an MPLS label forwarding
table and swaps one label for another. The new label determines the next hop along
the MPLS tunnel. A provider switch cannot perform the push or pop operations.
Components Required for All Switches in the MPLS Network

You must configure the following components on both the provider edge and the
provider switches:
OSPF or IS-IS as a Routing Protocol on page 1508
Traffic Engineering on page 1508
MPLS Protocol on page 1509
RSVP on page 1509
OSPF or IS-IS as a Routing Protocol

MPLS works in coordination with the interior gateway protocol (IGP). Therefore, you
must configure either OSPF or IS-IS as a routing protocol on the loopback interface
and core interfaces of both the provider edge and provider switches.
These core interfaces can be either Gigabit Ethernet or 10-Gigabit Ethernet interfaces,
and they can be configured as either individual interfaces or aggregated Ethernet
interfaces.
NOTE: These core interfaces cannot be configured with VLAN tagging or a VLAN ID.
When you configure them to belong to family mpls, they are removed from the default
VLAN. They operate as an exclusive tunnel for MPLS traffic.
Traffic Engineering
Traffic engineering maps traffic flows onto an existing physical topology and provides
the ability to move traffic flow away from the shortest path selected by the IGP and
onto a potentially less congested physical path across a network.
Traffic engineering enables the selection of specific end-to-end paths to send given
types of traffic through your network. In order for MPLS to work properly, you must
enable traffic engineering for the specified routing protocol (either OSPF or IS-IS).
1508
MPLS Protocol
You must enable the MPLS protocol on all switches that participate in the MPLS
network and apply it to the core interface addresses of both the provider edge and
provider switches. You do not need to apply it to the loopback address, because the
MPLS protocol uses the framework established by the RSVP session to create LSPs.
On the provider edge switches, the configuration of the MPLS protocol must also
include the definition of an LSP.
RSVP
Resource Reservation Protocol (RSVP) is a signaling protocol that allocates and
distributes labels throughout an MPLS network. RSVP sets up unidirectional paths
between the ingress provider edge switch and the egress provider edge switch. RSVP
makes the LSPs dynamic; it can detect topology changes and outages and establish
new LSPs to move around a failure.
You must enable RSVP and apply it to the loopback address and the core interface
addresses of both the provider edge and provider switches. The path message contains
the configured information about the resources required for the LSP to be established.
When the egress switch receives the path message, it sends a reservation message
back to the ingress switch. This reservation message is passed along from switch to
switch along the same path as the original path message. Once the ingress switch
receives this reservation message, an RSVP path is established.
The established LSP stays active as long as the RSVP session remains active. RSVP
continues activity through the transmissions and responses to RSVP path and
reservation messages. If the messages stop for three minutes, the RSVP session
terminates and the LSP is lost.
RSVP runs as a separate software process in the Juniper Networks JUNOS Software
and is not in the packet forwarding path.
Family MPLS
You must also configure the core interface addresses used for MPLS traffic to belong
to family mpls.
NOTE: You can enable family mpls on either individual interfaces or aggregated
Ethernet interfaces. You cannot enable it on tagged VLAN interfaces.
Related Topics
1509

JUNOS Software VPNs Configuration Guide at

Understanding MPLS and Path Protection on EX Series Switches

JUNOS MPLS for Juniper Networks EX Series Ethernet Switches provides path
protection to protect your MPLS network from label switched path (LSP) failures.
By default, an LSP routes itself hop-by-hop from the ingress provider edge switch
through the provider switches toward the egress provider edge switch. The LSP
generally follows the shortest path as dictated by the local routing table, usually taking
the same path as destination-based, best-effort traffic. These paths are soft in nature
because they automatically reroute themselves whenever a change occurs in a routing
table or in the status of a node or link.
Typically, when an LSP fails, the switch immediately upstream from the failure signals
the outage to the ingress provider edge switch. The ingress provider edge switch
calculates a new path to the egress provider edge switch, establishes the new LSP,
and then directs traffic from the failed path to the new path. This rerouting process
can be time-consuming and prone to failure. For example, the outage signals to the
ingress switch might get lost or the new path might take too long to come up, resulting
in significant packet drops.
You can configure path protection by configuring primary and secondary paths on
the ingress switch. If the primary path fails, the ingress switch immediately reroutes
traffic from the failed path to the standby path, eliminating the need for the ingress
switch to calculate a new route and signal a new path. For information about
configuring standby LSPs, see Configuring Path Protection in an MPLS Network (CLI
Related Topics

1510
Understanding MPLS and Path Protection on EX Series Switches
Chapter 82
Example: Configuring MPLS on EX Series Switches

You can configure MPLS on your switches to increase transport efficiency in your
network. MPLS services can be used to connect various sites to a backbone network
or to ensure better performance for low-latency applications such as VoIP and other
business-critical functions.
This example shows how to configure an MPLS tunnel:
Configuring the Local Provider Edge Switch on page 1515
Configuring the Remote Provider Edge Switch on page 1518
Configuring the Provider Switch on page 1521
Requirements
Three EX Series switches
Before you begin configuring MPLS, ensure that you have configured either the OSPF
or IS-IS routing protocol on the switches. This example includes the configuration of
OSPF on the switches.
Example: Configuring MPLS on EX Series Switches
1511

You can configure MPLS on your switches to increase transport efficiency in your
network. This example includes an ingress or local provider edge switch, an egress
or remote provider edge switch, and one provider (transit) switch. It includes CCCs
that tie the customer-edge interface of the local provider edge switch (PE-1) to the
customer-edge interface of the remote provider edge switch (PE-2). It also describes
how to configure the core interfaces of the provider edge switches and the provider
switch to support the transmission of the MPLS packets. In this example, the core
interfaces that connect the local provider edge switch and the provider switch are
individual interfaces; whereas the core interfaces that connect the remote provider
edge switch and the provider switch are aggregated Ethernet interfaces.
NOTE: You do not need to create a LAG for an MPLS connection. This example
includes a LAG between the provider switch and the remote provider edge switch,
because this type of configuration is another option that you may wish to implement.
For information on configuring LAGs, see Configuring Aggregated Ethernet Interfaces
Figure 79 on page 1512 shows the topology used in this example.
Figure 79: Configuring MPLS on EX Series Switches
Table 207 on page 1513 shows the MPLS configuration components used for the ingress
provider edge switch in this example.
1512
Chapter 82: Example of JUNOS MPLS Configuration
Table 207: Components of the Ingress PE Switch in Topology for MPLS with Interface-Based CCC
Property
Settings
Description
Local provider edge switch hardware
EX Series switch
PE-1
Loopback address
lo0 127.1.1.1/32
Identifies PE-1 for interswitch

communications.
Routing protocol
ospf traffic-engineering
Indicates that this switch is using OSPF

as the routing protocol and that traffic
engineering is enabled.
MPLS protocol and definition of label

switched path
mpls
Indicates that this provider edge switch

is using the MPLS protocol with the
specified label switched path (LSP) to
reach the other provider edge switch
(specified by the loopback address).
label-switched-path lsp_to_pe2_ge1
to 127.1.13
The statement must also specify the

core interfaces to be used for MPLS
traffic.
RSVP protocol
rsvp
Indicates that this switch is using the

RSVP protocol. The statement must
specify the loopback address and the
core interfaces that are going to be used
for the RSVP session.
Interface family
family inet
The logical units of the core interfaces

are configured to belong to both family
inet and family mpls.
family mpls
family ccc
The logical unit of the customer edge

interface is configured to belong to
family ccc.
Customer-edge interface
ge-0/0/1
Interface that connects this network to

devices outside the network.
Core interfaces
ge-0/0/5.0 and ge-0/0/6.0 with IP

addresses 10.1.5.1/24 and 10.1.6.1/24
Interfaces that connect to other switches

within the MPLS network.
CCC definition
connections
remote-interface-switch ge-1-to-pe2
Associates the circuit cross-connect

(CCC), ge-0/0/1, with the LSPs that have
been defined on the local and remote
provider edge switches.
transmit-lsp lsp_to_pe2_ge1
receive-lsp lsp_to_pe1_ge1
1513
Table 208 on page 1514 shows the MPLS configuration components used for the egress
provider edge switch in this example.
Table 208: Components of the Egress PE Switch in Topology for MPLS with Interface-Based CCC
Property
Settings
Description
Remote provider edge switch hardware
EX Series switch
PE-2
Loopback address
lo0 127.1.1.3/32
Identifies PE-2 for interswitch

communications.
Routing protocol

MPLS protocol and definition of

label-switched path
mpls
Indicates that this provider edge switch

is using the MPLS protocol with the
specified label switched path (LSP) to
reach the other PE switch.
label-switched-path lsp_to_pe1_ge1
to 127.1.1.1
The statement must also specify the

core interfaces to be used for MPLS
traffic.
RSVP protocol
rsvp

Interface family
family inet
The logical unit of the core interface is

configured to belong to both family inet
and family mpls.
family mpls
family ccc
The logical unit of the customer edge

interface is configured to belong to
family ccc.
Customer-edge interface
ge-0/0/1
Interface that connects this network to

devices outside the network.
Core interface
ae0 with IP address 10.1.9.2/24
Aggregated Ethernet interface on PE-2

that connects to aggregated Ethernet
interface ae0 of the provider switch and
belongs to family mpls.
CCC definition
connections remote-interface-switch
ge-1-to-pe1
Associates the circuit cross-connect

(CCC), ge-0/0/1, with the LSPs that have
been defined on the local and remote
transmit-lsp lsp_to_pe1_ge1;
receive-lsp lsp_to_pe2_ge1;
1514
Table 209 on page 1515 shows the MPLS configuration components used for the
provider switch in this example.
Table 209: Components of the Provider Switch in Topology for MPLS with Interface-Based CCC
Property
Settings
Description
Provider switch hardware
EX Series switch
Transit switch within the MPLS network

configuration.
Loopback address
lo0 127.1.1.2/32
Identifies provider switch for interswitch

communications.
Routing protocol

MPLS protocol
mpls

MPLS protocol.
The statement must specify the core
interfaces that are going to be used for
MPLS traffic.
RSVP protocol
rsvp

Interface family
family inet
The logical units for the loopback

address and core interfaces belong to
family inet.
family mpls
The logical units of the core interfaces

are also configured to belong to family
mpls.
Core interfaces
ge-0/0/5.0 and ge-0/0/6.0 with IP

addresses 10.1.5.1/24 and 10.1.6.1/24
and ae0 with IP address 10.1.9.1/24
Interfaces that connect P to PE-1.

Aggregated Ethernet interface on P that
connects to aggregated Ethernet
interface ae0 of PE-2.
Configuring the Local Provider Edge Switch

To quickly configure the local provider edge switch, copy the following commands
and paste them into the switch terminal window of PE-1:
[edit]
set protocols
set protocols
set protocols
set protocols
set protocols
set protocols
ospf
ospf
ospf
ospf
mpls
mpls
traffic-engineering
area 0.0.0.0 interface lo0.0
area 0.0.0.0 interface ge-0/0/5.0
area 0.0.0.0 interface ge-0/0/6.0
label-switched-path lsp_to_pe2_ge1 to 127.1.1.3
1515
set protocols mpls interface ge-0/0/6.0

set protocols rsvp interface lo0.0
set protocols rsvp interface ge-0/0/5.0
set interfaces lo0 unit 0 family inet address 127.1.1.1/32
set interfaces ge-0/0/5 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 family ccc
set protocols connections remote-interface-switch ge-1to-pe2 interface ge-0/0/1.0
set protocols connections remote-interface-switch ge-1to-pe2 transmit-lsp
lsp_to_pe2_ge1
set protocols connections remote-interface-switch ge-1to-pe2 receive-lsp
lsp_to_pe1_ge1
To configure the ingress provider edge switch:

1.
Configure OSPF with traffic engineering enabled:

[edit protocols]
user@switchPE-1# set ospf traffic-engineering
2.
Configure OSPF on the loopback address and core interfaces:

[edit protocols]
user@switchPE-1# set ospf area 0.0.0.0 interface lo0.0
user@switchPE-1# set ospf area 0.0.0.0 interface ge-0/0/5.0
user@switchPE-1# set ospf area 0.0.0.0 interface ge-0/0/6.0
3.
Configure MPLS on the switch with a label switched path to the remote provider
edge switch:
[edit protocols]
user@switchPE-1# set mpls label-switched-path lsp_to_pe2_ge1 to 127.1.1.3
4.
Configure MPLS on the core interfaces:

[edit protocols]
user@switchPE-1# set mpls interface ge-0/0/5.0
user@switchPE-1# set mpls interface ge-0/0/6.0
5.
Configure RSVP on the loopback address and core interfaces:

[edit protocols]
user@switchPE-1# set rsvp interface lo0.0
user@switchPE-1# set rsvp interface ge-0/0/5.0
user@switchPE-1# set rsvp interface ge-0/0/6.0
1516
Configure IP addresses for the loopback and core interfaces:
6.
[edit]
user@switchPE-1# set interfaces lo0 unit 0 family inet address 127.1.1.1/32
user@switchPE-1# set interfaces ge-0/0/5 unit 0 family inet address
10.1.5.1/24
user@switchPE-1# set interfaces ge-0/0/6 unit 0 family inet address
10.1.6.1/24
Configure family mpls on the logical unit of the core interface addresses:
7.
[edit]
user@switchPE-1# set interfaces ge-0/0/5 unit 0 family mpls
user@switchPE-1# set interfaces ge-0/0/6 unit 0 family mpls
Configure the logical unit of the customer-edge interface as a CCC:
9.

user@PE-1# set family ccc
10.
Configure the interface-based CCC from PE-1 to PE-2:
NOTE: You can also configure a tagged VLAN interface as a CCC. See Configuring
MPLS on Provider Edge Switches (CLI Procedure) on page 1530.
[edit protocols]
user@PE-1# set connections remote-interface-switch ge-1to-pe2 interface ge-0/0/1.0
user@PE-1# set connections remote-interface-switch ge-1to-pe2 transmit-lsp
lsp_to_pe2_ge1
user@PE-1# set connections remote-interface-switch ge-1to-pe2 receive-lsp
lsp_to_pe1_ge1
Results

user@switchPE-1>
show configuration
interfaces {
ge-0/0/1 {
unit 0 {
family ccc;
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.1.5.1/24;
}
family mpls;
}
}
1517
ge-0/0/6 {
unit 0 {
family inet {
address 10.1.6.1/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 127.1.1.1/32;
}
}
}
protocols {
rsvp {
interface lo0.0;
}
mpls {
label-switched-path lsp_to_pe2_ge1 {
to 127.1.1.3;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0;
}
}
connections {
remote-interface-switch ge-1-to-pe2 {
}
}
Configuring the Remote Provider Edge Switch

To quickly configure the remote provider edge switch, copy the following commands
and paste them into the switch terminal window of PE-2:
[edit]
set protocols
set protocols
set protocols
set protocols
set protocols
1518
ospf
ospf
ospf
mpls
mpls
traffic-engineering
area 0.0.0.0 interface lo0.0
area 0.0.0.0 interface ae0
label-switched-path lsp_to_pe1_ge1 to 127.1.1.1
interface ae0

set protocols rsvp interface ae0
set interfaces ae0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 family ccc
set protocols connections remote-interface-switch ge-1-to-pe1 interface ge-0/0/1.0
set protocols connections remote-interface-switch ge-1-to-pe1 transmit-lsp
lsp_to_pe1_ge1
set protocols connections remote-interface-switch ge-1-to-pe1 receive-lsp
lsp_to_pe2_ge1
To configure PE-2:
1.

[edit protocols]
user@switchPE-2# set ospf traffic-engineering
2.
Configure OSPF on the loopback address and core interface of PE-2:

[edit protocols]
user@switchPE-2# set ospf area 0.0.0.0 interface lo0.0
user@switchPE-2# set ospf area 0.0.0.0 interface ae0
3.
Configure MPLS on the switch with a label switched path to the remote provider
edge switch:
[edit protocols]
user@switchPE-2# set mpls label-switched-path lsp_to_pe1_ge1 to 127.1.1.1
4.
Configure MPLS on the core interface:

[edit protocols]
user@switchPE-2# set mpls interface ae0
5.
Configure RSVP on the loopback address and core interface of PE-2:

[edit protocols]
ser@switchPE-2# set rsvp interface lo0.0
user@switchPE-2# set rsvp interface ae0
6.

[edit]
user@switchPE-2# set interfaces lo0 unit 0 family inet address 127.1.1.3/32
user@switchPE-2# set interfaces ae0 unit 0 family inet address 10.1.9.2/24
7.
Configure family mpls on the logical unit of the core interface address of PE-2:
[edit]
user@switchPE-2# set interfaces ae0 unit 0 family mpls
8.
Configure the logical unit of the customer-edge interface as a CCC:
1519

user@PE-2# set family ccc
9.
Configure the interface-based CCC from PE-2 to PE-1:

[edit protocols]
user@PE-2# set connections remote-interface-switch ge-1to-pe2 interface
ge-0/0/1.0
user@PE-2# set connections remote-interface-switch ge-1to-pe2 transmit-lsp
lsp_to_pe1_ge1
user@PE-2# set connections remote-interface-switch ge-1to-pe2 receive-lsp
lsp_to_pe2_ge1
Results

user@switchPE-2>
show configuration
interfaces {
ge-0/0/1 {
unit 0 {
family ccc;
}
}
ae0 {
unit 0 {
family inet {
address 10.1.9.2/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 127.1.1.3/32;
}
}
}
}
protocols {
rsvp {
interface lo0.0;
interface ae0.0;
}
mpls {
label-switched-path lsp_to_pe1_ge1 {
to 127.1.1.1;
}
interface ae0.0;
}
ospf {
area 0.0.0.0 {
1520
interface ae0.0;
}
}
connections {
remote-interface-switch ge-1-to-pe1 {
}
}
}
Configuring the Provider Switch

To quickly configure the provider switch, copy the following commands and paste
[edit]
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/5.0
set protocols ospf area 0.0.0.0 interface ge-0/0/6.0
set protocols ospf area 0.0.0.0 interface ae0
set protocols mpls interface ae0
set protocols rsvp interface ae0
set interfaces ae0 unit 0 family mpls
To configure the provider switch:

1.

[edit protocols]
user@switchP# set ospf traffic-engineering
2.
Configure OSPF on the loopback and core interfaces:

[edit protocols]
user@switchP# set ospf area interface lo0.0
user@switchP# set ospf area interface ae0
3.
Configure MPLS on the core interfaces on the switch:

[edit protocols]
user@switchP# set mpls interface ge-0/0/5
1521
user@switchP# set mpls interface ge-0/0/6

user@switchP# set mpls interface ae0
4.
Configure RSVP on the loopback address and core interfaces:

[edit protocols]
user@switchP# set
user@switchP# set
user@switchP# set
user@switchP# set
5.
interface
interface
interface
interface
lo0.0
ge-0/0/5
ge-0/0/6
ae0

[edit]
user@switchP#
user@switchP#
10.1.5.1/24
user@switchP#
10.1.6.1/24
user@switchP#
6.
rsvp
rsvp
rsvp
rsvp

set interfaces ge-0/0/5 unit 0 family inet address
set interfaces ge-0/0/6 unit 0 family inet address
Configure family mpls on the logical unit of the core interface addresses:
[edit]
user@switchP# set interfaces ge-0/0/5 unit 0 family mpls
user@switchP# set interfaces ge-0/0/6 unit 0 family mpls
user@switchP# set interfaces ae0 unit 0 family mpls
Results

user@switchP>
show configuration
interfaces {
ge-0/0/5 {
unit 0 {
family inet {
address 10.1.5.1/24;
}
family mpls;
}
}
ge-0/0/6 {
unit 0 {
family inet {
address 10.1.6.1/24;
}
family mpls;
}
}
}
ae0 {
unit 0 {
family inet {
1522
address 10.1.9.1/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 127.1.1.2/32;
}
}
}
protocols {
rsvp {
interface lo0.0;
interface ae0.0;
}
mpls {
interface ae0.0;
}
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ae0.0;
}
}
Verification
Verifying the Physical Layer on the Switches on page 1523
Verifying the Routing Protocol on page 1524
Verifying the Core Interfaces Being Used for the MPLS Traffic on page 1524
Verifying RSVP on page 1525
Verifying the Assignment of Interfaces for MPLS Label Operations on page 1525
Verifying the Status of the CCC on page 1525
Verifying the Physical Layer on the Switches

Purpose
Action
Verify that the interfaces are up. Perform this verification task on each of the switches.
user@switchPE-1>
show interfaces ge- terse
Verification
1523
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
up
up
inet
Local
Remote
ccc
eth-switch
eth-switch
eth-switch
inet
10.1.5.1/24
mpls
ge-0/0/6.0
10.1.6.1/24
mpls
Meaning
The show interfaces terse command displays status information about the Gigabit
Ethernet interfaces on the switch. This output verifies that the interfaces are up. The
output for the protocol family (Proto column) shows that interface ge-0/0/0.1 is
configured as a circuit cross-connect. The output for the protocol family of the core
interfaces (ge-0/0/0.5 and ge-0/0/0.6), shows that these interfaces are configured
as both inet and mpls. The Local column for the core interfaces shows the IP address
configured for these interfaces.
Verifying the Routing Protocol

Purpose
Action
Verify the state of the configured routing protocol. Perform this verification task on
each of the switches. The state should be Full.
user@switchPE-1> show ospf neighbor
Address
127.1.1.2
Meaning
Interface
ge0/0/5
State
Full
ID
10.10.10.10
Pri
128
Dead
39
The show ospf neighbor command displays the status of the routing protocol. This
output shows that the state is Full, meaning that the routing protocol is operating
correctlythat is, hello packets are being exchanged between directly connected
neighbors.
Verifying the Core Interfaces Being Used for the MPLS Traffic
Purpose
Action
Verify that the state of the MPLS interface is Up. Perform this verification task on
each of the switches.
user@switchPE-1>
Interface
ge0/0/5
ge0/0/6
Meaning
1524
show mpls interface

State
Up
Up
Administrative groups
<none>
<none>
The show mpls interface command displays the status of the core interfaces that have
been configured to belong to family mpls. This output shows that the interface
configured to belong to family mpls is Up.
Verifying RSVP
Purpose
Action
Verify the state of the RSVP session. Perform this verification task on each of the
switches.
user@switchPE-1>
show rsvp session
Ingress RSVP: 1 sessions

To
From
State
127.1.13
127.1.1.1
Up
Total 1 displayed, Up 1, Down 0
Egress RSVP: 1 sessions
To
From
State
127.1.1.1
127.1.1.3
Up
lsp_to_pe1_ge1
Rt Style Labelin Labelout LSPname

0 1 FF
300064 lsp_to_pe2_ge1

0 1 FF 299968
-
Transit RSVP: 0 sessions

Meaning
This output confirms that the RSVP sessions are Up.
Verifying the Assignment of Interfaces for MPLS Label Operations

Purpose
Verify which interface is being used as the beginning of the CCC and which interface
is being used to push the MPLS packet to the next hop. Perform this task only on the
Action
user@switchPE-1> show route forwarding-table family mpls

MPLS:
Destination
Type RtRef Next hop
default
perm
0
dscd
50
1
0
user
0
recv
49
3
1
user
0
recv
49
3
2
user
0
recv
49
3
299776
user
0
Pop
541
2 ge-0/0/1.0
ge-0/0/1.0 (CCC) user
0 2.0.0.1
Push 299792
540 2
ge-0/0/5.0
Meaning
This output shows that the CCC has been set up on interface ge-0/0/1.0. The switch
receives ingress traffic on ge-0/0/1.0 and pushes label 299792 onto the packet,
which goes out through interface ge-0/0/5.0. The output also shows when the switch
receives an MPLS packet with label 29976, it pops the label and sends the packet
out through interface ge-0/0/1.0
After you have checked the local provider edge switch, run the same command on
the remote provider edge switch.
Verifying the Status of the CCC

Purpose
Action
Verify the status of the CCC. Perform this task only on the provider edge switches.
user@switchPE-1>
show connections
Verifying RSVP
1525
CCC and TCC connections [Link Monitoring On]

Legend for status (St)
Legend for connection types
UN -- uninitialized
if-sw: interface switching
NP -- not present
rmt-if: remote interface switching
WE -- wrong encapsulation
lsp-sw: LSP switching
DS -- disabled
tx-p2mp-sw: transmit P2MP switching
Dn -- down
rx-p2mp-sw: receive P2MP switching
-> -- only outbound conn is up
<- -- only inbound conn is up
Legend for circuit types
Up -- operational
intf -- interface
RmtDn -- remote CCC down
tlsp -- transmit LSP
Restart -- restarting
rlsp -- receive LSP
Connection/Circuit
ge1-to-pe2
ge-0/0/1.0
lsp_to_pe1_ge1
lsp_to_pe2_ge1
Meaning
Related Topics
1526
Type
rmt-if
intf
tlsp
rlsp
St
Up
Up
Up
Up
Time last up
# Up trans
Feb 17 05:00:09 1
The show connections command displays the status of the CCC connections. This
output verifies that the CCC interface and its associated transmit and receive LSPs
are Up. After you have checked the local provider edge switch, run the same command
on the remote provider edge switch.
For information on the interface statement for OSPF, see the JUNOS Software
Chapter 83
Configuring JUNOS MPLS
Configuring Path Protection in an MPLS Network (CLI Procedure)

The JUNOS Software implementation of MPLS on EX Series switches provides path
protection as a mechanism for protecting against label switched path (LSP) failures.
Path protection reduces the time required to recalculate a route in case of a failure
within the MPLS tunnel. You configure path protection on the ingress provider edge
switch in your MPLS network. You do not configure the egress provider edge switch
or the provider switches for path protection. You can explicitly specify which provider
switches are used for the primary and secondary paths, or you can let the software
calculate the paths automatically.
Before you configure path protection, be sure you have:
Configured an ingress provider edge switch and an egress provider edge switch.
See Configuring MPLS on Provider Edge Switches (CLI Procedure) on page 1530.
Configured at least one provider (transit) switch. See Configuring MPLS on

Provider Switches (CLI Procedure) on page 1535.
Verified the configuration of your MPLS network. See Verifying That MPLS Is
Working Correctly on page 1539.
To configure path protection, complete the following tasks on the ingress provider
edge switch:
1. Configuring the Primary Path on page 1528
2. Configuring the Secondary Path on page 1528
3. Configuring the Revert Timer on page 1529
Configuring Path Protection in an MPLS Network (CLI Procedure)
1527
Configuring the Primary Path

The primary statement creates the primary path, which is the LSPs preferred path.
The secondary statement creates an alternative path if the primary path can no longer
reach the egress provider edge switch.
In the tasks described in this topic, the lsp-name has already been configured on
the ingress provider edge switch as lsp_to_240 and the loopback interface address
on the remote provider edge switch has already been configured as 127.0.0.8.
When the software switches from the primary to the secondary path, it continuously
attempts to revert to the primary path, switching back to it when it is again reachable
but no sooner than the retry time specified in the revert-timer statement.
You can configure zero primary paths or one primary path. If you do not configure
a primary path, the first secondary path (if a secondary path has been configured)
is selected as the path. If you do not specify any named paths, or if the path that you
specify is empty, the software makes all routing decisions necessary for the packets
to reach the egress provider edge switch.
To configure a primary path:
1.
Create the primary path for the LSP:

[edit protocols mpls label-switched-path lsp_to_240 to 127.0.0.8]
user@switch# set primary primary_path_lsp_to_240
2.
Configure an explicit route for the primary path by specifying the IP address of
the loopback interface or the switch IP address or hostname of each switch used
in the MPLS tunnel. You can specify the link types as either strict or loose in each
path statement. If the link type is strict, the LSP must go to the next address
specified in the path statement without traversing other switches. If the link type
is loose, the LSP can traverse through other switches before reaching this switch.
This configuration uses the default strict designation for the paths.
NOTE: You can enable path protection without specifying which provider switches
are used. If you do not list the specific provider switches to be used for the MPLS
tunnel, the switch calculates the route.
TIP: Do not include the ingress provider edge switch in these statements. List the IP
address of the loopback interface or switch address or hostname of all other switch
hops in sequence, ending with the egress provider edge switch.

user@switch# set path primary_path_lsp_to_240 127.0.0.2
1528
Configuring the Primary Path
Chapter 83: Configuring JUNOS MPLS
Configuring the Secondary Path

You can configure zero or more secondary paths. All secondary paths are equal, and
the software tries them in the order that they are listed in the configuration. The
software does not attempt to switch among secondary paths. If the first secondary
path in the configuration is not available, the next one is tried, as so on. To create a
set of equal paths, specify secondary paths without specifying a primary path. If you
do not specify any named paths, or if the path that you specify is empty, the software
makes all routing decisions necessary to reach the egress provider edge switch.
To configure the secondary path:
1.
Create a secondary path for the LSP:

user@switch# set secondary secondary_path_lsp_to_240 standby
2.
Configure an explicit route for the secondary path by specifying the IP address
of the loopback interface or the switch IP address or hostname of each switch
used in the MPLS tunnel. You can specify the link types as either strict or loose
in each path statement. This configuration uses the default strict designation for
the paths.
TIP: Do not include the ingress provider edge switch in these statements. List the IP
address of the loopback interface or switch address or hostname of all other switch
hops in sequence, ending with the egress provider edge switch.

user@switch# set path secondary_path_lsp_to_240 127.0.0.4
Configuring the Revert Timer
Configuring the Secondary Path
1529
For LSPs configured with both primary and secondary paths, you can optionally
configure a revert timer. If the primary path goes down and traffic is switched to the
secondary path, the revert timer specifies the amount of time (in seconds) that the
LSP must wait before it can revert traffic back to the primary path. If the primary
path experiences any connectivity problems or stability problems during this time,
the timer is restarted.
TIP: If you do not explicitly configure the revert timer, it is set by default to 60
seconds.
To configure the revert timer for LSPs configured with primary and secondary paths:
For all LSPs on the switch:

[edit protocols mpls]
user@switch# set revert-timer 120
For a specific LSP on the switch:

[edit protocols mpls label-switched-path]
user@switch# set lsp_to_240 revert-timer 120
Related Topics
Configuring MPLS on Provider Edge Switches (CLI Procedure)

JUNOS MPLS for EX Series switches supports Layer 2 protocols and Layer 2 virtual
private networks (VPNs). You can configure MPLS on your switches to increase
transport efficiency in your network. MPLS services can be used to connect various
sites to a backbone network or to ensure better performance for low-latency
applications such as VoIP and other business-critical functions.
To implement MPLS on EX Series switches, you must configure two provider edge
switches: an ingress provider edge switch and an egress provider edge switch.
To configure a provider edge switch, complete the following tasks. When you have
completed configuring one provider edge switch, perform the same tasks on the
other provider edge switch:
1. Enabling the OSPF or the IS-IS Routing Protocol on the Loopback and Core
2. Enabling Traffic Engineering for the Routing Protocol on page 1531
3. Configuring IP Addresses for the Loopback and Core Interfaces on page 1531
4. Enabling MPLS, Defining the Label Switched Path, and Applying MPLS to the
Core Interfaces on page 1532
5. Enabling RSVP and Applying It to the Loopback and Core Interfaces on page 1532
1530
Configuring MPLS on Provider Edge Switches (CLI Procedure)
6. Enabling Family MPLS on the Core Interfaces on page 1533

7. Configuring a Circuit Cross-Connect on a Customer Edge Interface on page 1533
Enabling the OSPF or the IS-IS Routing Protocol on the Loopback and Core Interfaces
Enable OSPF or IS-IS on the loopback address and on the core interface addresses.
NOTE: You can use the switch address as an alternative to the loopback address.
1.

[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
ospf
ospf
ospf
ospf
area
area
area
area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
interface
interface
interface
interface
lo0.0
ge-0/0/5.0
ge-0/0/6.0
ae0
Enabling Traffic Engineering for the Routing Protocol

Enable traffic engineering for the routing protocol (either OSPF or IS-IS) on the
loopback address and on the core interface addresses.
1.
Enable traffic engineering for the routing protocol:

[edit protocols]
user@switch# set ospf traffic-engineering
Configuring IP Addresses for the Loopback and Core Interfaces

Configure IP addresses for the loopback and core interfaces.
1.
Configure an IP address for the loopback interface and for the core interfaces:
[edit]
user@switch#
user@switch#
user@switch#
user@switch#

1531
Enabling MPLS, Defining the Label Switched Path, and Applying MPLS to the Core Interfaces
Enable MPLS within the protocols stanza and define a label switched path (LSP) that
specifies the loopback interface address or switch address of the destination (egress)
provider edge switch. You must also apply MPLS to the core interfaces.
1.
Enable MPLS and define the LSP:

[edit protocols]
user@switch# set mpls label-switched-path lsp_to_pe2_ge1 to 127.1.1.3
TIP: lsp_to_pe2_ge1 is the LSP name. You will need to use the specified name again
when configuring the circuit cross-connect.
2.
Configure MPLS on the core interface addresses:

[edit protocols]
uuser@switch# set mpls interface ge-0/0/5.0
user@switch# set mpls interface ge-0/0/6.0
user@switch# set mpls interface ae0
Enabling RSVP and Applying It to the Loopback and Core Interfaces

Enable RSVP and apply it to the loopback and the core interfaces.
1.
Configure RSVP on the loopback address and the core interface addresses:
[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
1532
rsvp interface lo0.0

rsvp interface ge-0/0/5.0
rsvp interface ae0
Enabling MPLS, Defining the Label Switched Path, and Applying MPLS to the Core Interfaces
Enabling Family MPLS on the Core Interfaces

On the logical units of the core interface addresses, configure these interfaces to
belong to family mpls. This configuration identifies the interfaces used for forwarding
MPLS packets.
1.
Configure family mpls on the logical units of the core interfaces:

[edit]
user@switch# set interfaces ge-0/0/5 unit 0 family mpls
user@switch# set interfaces ae0 unit 0 family mpls
Configuring a Circuit Cross-Connect on a Customer Edge Interface
1533
You must configure the customer edge interfaces of the provider edge switches as
a circuit cross-connect (CCC). The customer edge interface can be either a simple
interface or a tagged VLAN interface. In both cases, you must configure the logical
unit of the customer edge interface to belong to family ccc and you must configure
an association between that interface and two LSPsone for transmitting MPLS
packets to the remote provider edge and the other for receiving MPLS packets from
the remote PE.
NOTE: When an interface is configured to belong to family ccc, it cannot belong to

any other family.
If you are configuring a CCC on a tagged VLAN interface, you must explicitly enable
VLAN tagging and specify a VLAN ID.
NOTE: The VLAN tag ID cannot be configured on logical interface unit 0. The logical
unit number must be 1 or higher.
This procedure shows how to set up two CCCs:
If you are configuring a CCC on a simple interface (ge-0/0/1), omit step 1 and
step 2.
If you are configuring a CCC on a tagged VLAN interface (ge-0/0/2), include all
the steps in this procedure.
1.
Enable VLAN tagging on the customer edge interface ge-0/0/2 of the local
provider edge switch:
user@switch# set vlan-tagging
2.
Configure the logical unit of the customer edge interface with a VLAN ID:
user@switch# set vlan-id 100
3.
Configure the logical unit of the customer edge interface to belong to family ccc:
user@switch# set family ccc
user@switch# set family ccc
4.
Associate the CCC interface with two LSPs, one for transmitting MPLS packets
and the other for receiving MPLS packets:
[edit protocols]
user@switch# set connections remote-interface-switch ge-1to-pe2 interface
ge-0/0/1.0
1534
Configuring a Circuit Cross-Connect on a Customer Edge Interface
user@switch# set connections remote-interface-switch ge-1to-pe2

[edit protocols]
user@switch# set connections remote-interface-switch ge-1to-pe2 interface
ge-0/0/2.1
TIP: The transmit-lsp option specifies the LSP name that was configured on PE-1 (the
local provider edge switch) by the label-switched-path statement within the protocols
mpls stanza.
The receive-lsp option specifies the LSP name that was configured on PE-2 (the remote
provider edge switch) by the label-switched-path statement within the protocols mpls
stanza.
When you have completed configuring one provider edge switch, follow the same
procedures to configure the other provider edge switch.
Related Topics
Verifying That MPLS Is Working Correctly on page 1539
Configuring MPLS on Provider Switches (CLI Procedure)

JUNOS MPLS for EX Series switches supports Layer 2 protocols and Layer 2 virtual
private networks (VPNs). You can configure MPLS on your switches to increase
transport efficiency in your network. MPLS services can be used to connect various
sites to a backbone network or to ensure better performance for low-latency
applications such as VoIP and other business-critical functions.
To implement MPLS on EX Series switches, you must configure at least one provider
switch as a transit switch for the MPLS packets.
Configuring MPLS on Provider Switches (CLI Procedure)
1535
To configure the provider switch, complete the following tasks:

1. Enabling the OSPF or the IS-IS Routing Protocol on the Loopback and Core
2. Enabling Traffic Engineering for the Routing Protocol on page 1536
3. Enabling MPLS and Applying MPLS to the Core Interfaces on page 1536
4. Enabling RSVP and Applying It to the Loopback and Core Interfaces on page 1537
5. Configuring IP Addresses for the Loopback and Core Interfaces on page 1537
6. Enabling Family MPLS on the Core Interfaces on page 1537
Enable OSPF or IS-IS on the loopback address and on the core interface addresses.
NOTE: You can use the switch address as an alternative to the loopback address.
1.

[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
ospf
ospf
ospf
ospf
area
area
area
area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
interface
interface
interface
interface
lo0.0
ge-0/0/5.0
ge-0/0/6.0
ae0
Enabling Traffic Engineering for the Routing Protocol

Enable traffic engineering for the routing protocol (either OSPF or IS-IS) on the
loopback address and on the core interface addresses.
1.
Enable traffic engineering for the routing protocol:

[edit protocols]
user@switch# set ospf traffic-engineering
Enabling MPLS and Applying MPLS to the Core Interfaces

Enable MPLS within the protocols stanza and apply it to the core interfaces.
1.
Configure MPLS on the core interface addresses:

[edit protocols]
user@switch# set mpls interface ae0
1536

Enable RSVP and apply it to the loopback and the core interfaces.
1.
Configure RSVP on the loopback address and the core interface addresses:
[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
rsvp interface lo0.0

rsvp interface ae0
Configuring IP Addresses for the Loopback and Core Interfaces

Configure IP addresses for the loopback and core interfaces.
1.
Configure an IP address for the loopback interface and for the core interfaces:
[edit]
user@switch#
user@switch#
user@switch#
user@switch#


On the logical unit of the core interface addresses, configure these interfaces to
belong to family mpls. This configuration identifies the interfaces used for forwarding
MPLS packets.
1.
Configure family mpls on the logical units of the core interfaces:

[edit]
user@switch# set interfaces ae0 unit 0 family mpls
Related Topics
1537
1538
Chapter 84
Verifying MPLS
Verifying That MPLS Is Working Correctly

To verify that MPLS is working correctly on EX Series switches, perform the following
tasks:
1. Verifying the Physical Layer on the Switches on page 1539
2. Verifying the Routing Protocol on page 1540
3. Verifying the Core Interfaces Being Used for the MPLS Traffic on page 1540
4. Verifying RSVP on page 1540
5. Verifying the Assignment of Interfaces for MPLS Label Operations on page 1541
6. Verifying the Status of the CCC on page 1541
Verifying the Physical Layer on the Switches

Purpose
Action
Verify that the interfaces are up. Perform this verification task on each of the switches.
user@switch>
show interfaces ge- terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
up
up
inet
Local
Remote
ccc
ccc
eth-switch
eth-switch
inet
10.1.5.1/24
mpls
ge-0/0/6.0
10.1.6.1/24
mpls
Meaning
The show interfaces terse command displays status information about the Gigabit
Ethernet interfaces on the switch. This output verifies that the interfaces are up. The
output for the protocol family (Proto column) shows that interfaces ge-0/0/1.0 and
ge-0/0/2.0 are configured as circuit cross-connect. The Local and Remote columns
do not display IP addresses, because the inet family is not configured for CCC
interfaces. The output for the protocol family of the core interfaces (ge-0/0/0.5 and
Verifying That MPLS Is Working Correctly
1539
ge-0/0/0.6), shows that these interfaces are configured as both inet and mpls. The
Local column for the core interfaces shows the IP address configured for these
interfaces.

Purpose
Action
Verify the state of the configured routing protocol. You should perform this verification
task on each of the switches. The state should be Full. If you have configured OSPF
as the routing protocol, use the show ospf neighbor command to verify that the routing
protocol is communicating with the switch neighbors. If you have configured IS-IS
as the routing protocol, use the show isis adjacency command to verify that the routing
protocol is communicating with the switch neighbors.
user@switch> show ospf neighbor
Address
127.1.1.2
Meaning
Interface
ge0/0/5
State
Full
ID
10.10.10.10
Pri Dead
128
39
The show ospf neighbor command displays the status of the routing protocol that has
been configured on this switch. The output shows that the state is full, meaning that
the routing protocol is operating correctlythat is, hello packets are being exchanged
between directly connected neighbors. For additional information on checking and
monitoring routing protocols, see the JUNOS Software Routing Protocols and Policies
Command Reference at http://www.juniper.net/techpubs/software/junos/junos95/index.html.
Verifying the Core Interfaces Being Used for the MPLS Traffic
Purpose
Action
Verify that the state of the MPLS interface is Up. You should perform this verification
task on each of the switches.
user@switch>
Interface
ge0/05
Meaning
show mpls interface

State
Up
<none>
The show mpls interface command displays the status of the core interfaces that have
been configured to belong to family mpls. This output shows that the interface
configured to belong to family mpls is up.
Verifying RSVP
Purpose
Action
Verify the state of the RSVP session. You should perform this verification task on
each of the switches.
user@switch>
show rsvp session

To
From
State
127.1.1.3
127.1.1.1
Up
lsp_to_pe2_ge1
1540

0 1 FF
300064
Chapter 84: Verifying MPLS

To
From
State
127.1.1.1
127.1.1.3
Up
lsp_to_pe1_ge1

0 1 FF 299968
-

Meaning
This output confirms that the RSVP sessions are Up.

Purpose
Action
Meaning
Verify which interface is being used as the beginning of the CCC and which interface
is being used to push the MPLS packet to the next hop. You should perform this task
only on the provider edge switches.
user@switch> show
MPLS:
Destination
default
0
1
2
299776
ge-0/0/1.0 (CCC)
route forwarding-table family mpls

Type RtRef Next hop
perm
0
user
0
user
0
user
0
user
0
user
0 127.1.2.1

dscd
50
1
recv
49
3
recv
49
3
recv
49
3
Pop
541
2 ge-0/0/1.0
Push 299792
540 2
ge-0/0/5.0
This output shows that CCC has been set up on interface ge-0/0/1.0. The switch
receives ingress traffic on ge-0/0/1.0 with label 299776. It pops that label and swaps
it to label 299792, which it pushes out on interface ge-0/0/5.0.

Purpose
Action
Verify the status of the CCC. You should perform this task only on the provider edge
switches.
user@switch> show connections
CCC and TCC connections [Link Monitoring On]
Legend for status (St)
Legend for connection types
UN -- uninitialized
if-sw: interface switching
NP -- not present
rmt-if: remote interface switching
WE -- wrong encapsulation
lsp-sw: LSP switching
DS -- disabled
tx-p2mp-sw: transmit P2MP switching
Dn -- down
rx-p2mp-sw: receive P2MP switching
-> -- only outbound conn is up
<- -- only inbound conn is up
Legend for circuit types
Up -- operational
intf -- interface
RmtDn -- remote CCC down
tlsp -- transmit LSP
Restart -- restarting
rlsp -- receive LSP
Connection/Circuit
ge1-to-pe2
ge-0/0/1.0
lsp_to_pe1_ge1
lsp_to_pe2_ge1
Type
rmt-if
intf
tlsp
rlsp
St
Up
Up
Up
Up
Time last up
# Up trans
Feb 17 05:00:09 1
1541
Meaning
Related Topics
1542
The show connections command displays the status of the CCC connections. This
output verifies that the CCC interface and its associated transmit and receive LSPs
are Up.
Chapter 85
Configuration Statements for MPLS

protocols {
connections {
}
}
dot1x {
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
}
}
}
gvrp {
<enable | disable>;
disable;
1543
}
}
igmp-snooping {
traceoptions {
<match regex>;
}
data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
lldp {
disable;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
1544
Chapter 85: Configuration Statements for MPLS
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
path destination {
}
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
traceoptions {
no-world-readable>;
1545
flag flag;
}
}
oam {
ethernet{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
1546
}
traceoptions {
no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
block;
1547
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
Related Topics
1548


877


on page 1661
connections
Syntax
Hierarchy Level
Release Information
Description
connections {
}
[edit protocols]

Define the connection between two circuits in a CCC connection.

Related Topics


family ccc
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
family ccc;

Configure the logical interface as a circuit cross-connect (CCC).

connections
1549
family mpls
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
family mpls;

Configure MPLS protocol family information for the logical interface.

interface
Syntax
Hierarchy Level
Release Information
Description


Enable MPLS on all interfaces on the switch or on the specified interface.
Default
MPLS is disabled.
Options

interface-name Name of an interface in one of these formats:

Related Topics
1550
family mpls
aex Name of an aggregated Ethernet interface.
ge-chassis/slot/port Name of a Gigabit Ethernet interface.

label-switched-path
Syntax
Hierarchy Level
Release Information
Description
Options


Define a label-switched path (LSP) to the remote provider edge switch to use for
MPLS traffic. You must specify this statement on the provider edge switch.
lsp-name Name that identifies the LSP. The name can be up to 32 characters and
can contain letters, digits, periods, and hyphens. To include other characters,
enclose the name in quotation marks. The name must be unique on the ingress
switch.
remote-provider-edge-switch Either the loopback address or the switch address.
Related Topics


label-switched-path
1551
mpls
Syntax
Hierarchy Level
Release Information
Description
mpls {
path destination {
}
}
[edit protocols]

Enable MPLS on the switch.
Default
Related Topics
MPLS is disabled.

1552
mpls
path
Syntax
Hierarchy Level
Release Information
Description
Options
path destination {
}

Configure path protection on your MPLS network.
destination Name of a label switched path (LSP). In addition to specifying the name
of the configured LSP, you can include some other designation such as
primary-path.
address (Optional) IP address of each transit switch (or the IP address of the
loopback interface on the switch) in the LSP. If you want to control exactly which
switches are selected for the LSP, specify the address or hostname of each transit
switch. Specify the addresses in order, starting with the first provider (transit)
switch, and continuing sequentially along the path until reaching the egress
provider edge switch.
Default: If you do not specify the addresses or hostnames of any switches, the
LSP is calculated by the switch.
hostname (Optional) See address .
Default: If you do not specify the addresses or hostnames of any switches, the
LSP is calculated by the switch.
loose(Optional) Indicates that the next address in the path statement is a loose
link. This means that the LSP can traverse through other switches before reaching
this switch.
Default: strict
strict(Optional) Indicates that the LSP must go to the next address specified in the
path statement without traversing other switches. This is the default.
Related Topics

path
1553
primary
Syntax
Hierarchy Level
Release Information

Specify the primary path to use for a label switched path (LSP). You can configure
only one primary path.
Options
path-name Name of the primary path that you created with the path statement.
Related Topics
[edit protocols mpls label-switched-path lsp-name]
Description
1554
primary path-name;
primary

remote-interface-switch
Syntax
Hierarchy Level
Release Information
Description
Options
}
[edit protocols connections]

Configure MPLS LSP tunnel cross-connects. This makes an association between a
CCC interface and two LSPs, one for transmitting MPLS packets from the local provider
edge switch to the remote provider edge switch and the other for receiving MPLS
packets on the local provider edge switch from the remote provider edge switch.
connection-name Connection name.
interface interface-name.unit-number Interface name. Include the logical portion of
the name, which corresponds to the logical unit number of the CCC interface.
receive-lsp label-switched-path Name of the LSP from the connections source. This
LSP name was specified by the label-switched-path statement on the remote
provider edge switch in the protocols mpls stanza.
transmit-lsp label-switched-path Name of the LSP to the connections destination.
This LSP name was specified by the label-switched-path statement on the local
provider edge switch in the protocols mpls stanza.
Related Topics


1555
revert-timer
Syntax
Hierarchy Level
Release Information
Description
revert-timer seconds;
[edit protocols mpls],

Specify the amount of time that a label switched path (LSP) must wait before traffic
reverts to a primary path. If during this time the primary path experiences any
connectivity problem or stability problem, the timer is restarted.
If you have configured a value of 0 seconds for the revert-timer statement and traffic
is switched to the secondary path, the traffic remains on that path indefinitely. It is
never switched back to the primary path unless you intervene.
Default
60 seconds
Options
seconds Value in seconds.

Related Topics

rsvp
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
rsvp;
[edit protocols]

Enable Resource Reservation Protocol (RSVP) signaling. The primary purpose of RSVP
in JUNOS Software for EX Series switches is to support dynamic signaling within
label switched paths (LSPs).
RSVP is disabled.

1556
revert-timer
secondary
Syntax
Hierarchy Level
Release Information
Description
Options
secondary path-name {
standby;
{

Specify one or more secondary paths to use for the label switched path (LSP). You
can configure more than one secondary path. All secondary paths are equal, and the
first one that is available is chosen.
path-name Name of a secondary path that you created with the path statement.

Related Topics

standby
Syntax
Hierarchy Level
Release Information
Description

Related Topics
standby;
[edit protocols mpls label-switched-path lsp-name secondary path-name]

Enable the path to remain up at all times to provide instant switchover if connectivity
problems occur.
secondary
1557
traffic-engineering
Syntax
Hierarchy Level
Release Information
Description
Default
Related Topics
[edit protocols ospf]
[edit protocols isis]

Enable the traffic-engineering features of the specified routing protocol.
Traffic-engineering support is disabled.

1558
traffic-engineering
Chapter 86
1559
show connections
Syntax
Release Information
Description
Options
show connections
<brief | extensive>
<all | remote-interface-switch>
<down | up | up-down>
<history>
<labels>
<name>
<status>

Display information about the configured circuit cross-connect (CCC) connections.
noneDisplay the standard level of output for all configured CCC connections on all
logical systems.
brief | extensive(Optional) Display the specified level of output.
all(Optional) Display all connections.
down | up | up-down(Optional) Display nonoperational, operational, or both kinds
of connections.
history(Optional) Display information about connection history.
labels(Optional) Display labels used for transmit and receive LSPs.
name (Optional) Display information about the specified connection only.
remote-interface-switch(Optional) Display remote interface switch connections only.
name (Optional) Display information about the specified connection only.
status(Optional) Display information about the connection and interface status.
Related Topics
1560
view
connections
show
show
show
show
show
show
show
show connections
connections on page 1561

connections brief on page 1561
connections down on page 1562
connections extensive on page 1562
connections history on page 1562
connections labels on page 1562
connections <name> on page 1562
Chapter 86: Operational Mode Commands for MPLS
show connections remote-interface-switch on page 1562

show connections status on page 1563
Output Fields
Table 210 on page 1561 describes the output fields for the show connections command.
Table 210: show connections Output Fields
Field Name
Field Description
CCC and TCC

connections [Link
Monitoring On I Off]
Whether link monitoring is enabled: On or Off.
Legend for Status

(St)
Connection or circuit status. See the output's legend for an explanation of the
status field values.
Legend for
connection types
Type of connection:
Legend for circuit

types
show connections
if-swLayer 2 switching cross-connect.
rmt-ifRemote interface switch. While graceful restart is in progress, rmt-if

will display a state (St) of Restart.
Type of circuit:
intfInterface circuit.
tlspTransmit LSP circuit.
rlspReceive LSP circuit.
Connection/Circuit
Name of the configured CCC connection.
Type
Type of connection.
St
State of the connection.
Time last up
Time that the connection or circuit last transitioned to the Up (operational)

state.
# Up trans
Number of times that the connection or circuit has transitioned to the Up

(operational) state.
user@switch> show connections

Connection/Circuit
ge1-to-pe2
1
ge-0/0/5.0
lsp_pe1_to_ge1_pe2
lsp_pe2_to_ge1_pe1
show connections brief
Type
rmt-if
St
Up
intf
tlsp
rlsp
Up
Up
Up
Type
rmt-if
St
Up
Time last up
# Up trans
Jun 26 18:37:25
user@switch> show connections brief

Connection/Circuit
ge-1_to_pe2
1
Time last up
# Up trans
Jan 29 13:07:56
show connections
1561
show connections down
show connections
extensive
user@switch> show connections down

No matching connections found.
user@switch> show connections extensive
Connection/Circuit
ge1_to_pe2
1
ge-0/0/5.0
lsp_pe1_to_ge1_pe2
lsp_pe2_to_ge1_pe1
Incoming labels: 299776
Outgoing labels: Push 300112
show connections
history
Time
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
Jan 29
show connections
1562
intf
tlsp
rlsp
Up
Up
Up
13:07:56
13:07:55
13:07:55
13:07:55
13:07:54
13:01:08
13:01:08
13:01:06
13:01:04
13:01:02
Type
rmt-if
St
Up
Event
CCC status update
TLSP up
TLSP down
TLSP up
RLSP up
Remote CCC down
Interface up
Interface down
Remote CCC down
Interface down
Time last up
# Up trans
Jan 29 13:07:56
Time last up
# Up trans
Jan 29 13:07:56
Interface/Label
300112@1:0, 1
300112@1
300112@1:0, 4097
299776
ge-0/0/0.10
ge-0/0/0.10
# Paths
Rcv Xmt
1
1
1
1
1
0
1
1
1
0
0
0
0
0
0
0
0
0
0
0
user@switch> show connections labels

Connection/Circuit
ge1-to-pe2
1
Incoming labels: 299776
Outgoing labels: Push 299792
show connections
<name>
St
Up
user@switch> show connections history

Connection/Circuit
ge1-to-pe2
1
show connections labels
Type
rmt-if
Type
rmt-if
St
RmtDn
Time last up
# Up trans
Jun 26 18:37:25
Time last up
# Up trans
Jan 29 13:07:56
user@switch> show connections ge1-to-pe2

Connection/Circuit
ge1_to_pe2
1
ge-0/0/5.0
lsp_pe1_to_ge1_pe2
lsp_pe2_to_ge1_pe1
Type
rmt-if
St
Up
intf
tlsp
rlsp
Up
Up
Up
Connection/Circuit
xcon10_ge0_to_239
1
ge-0/0/0.10
lsp_to_240_10
lsp_to_239_10
xcon11_ge0_to_239
1
ge-0/0/0.11
lsp_to_240_11
lsp_to_239_11
Type
rmt-if
St
Up
show connections
intf
tlsp
rlsp
rmt-if
Up
Up
Up
intf
tlsp
rlsp
Up
Up
Up
Up
Time last up
# Up trans
Jan 29 13:07:56
Jan 29 13:07:57
show connections
status
user@switch> show connections status

Connection/Circuit
Type
xcon10_ge0_to_239
rmt-if
1
ge-0/0/0.10
intf
lsp_to_240_10
tlsp
lsp_to_239_10
rlsp
xcon11_ge0_to_239
rmt-if
1
ge-0/0/0.11
intf
lsp_to_240_11
tlsp
lsp_to_239_11
rlsp
St
Up
Up
Up
Up
Up
Time last up
# Up trans
Jan 29 13:07:56
Jan 29 13:07:57
Up
Up
Up
show connections
1563

Syntax
Release Information
Description
Options

<detail | extensive | summary>
<ccc ccc-interface-name>
<destination>
<family family-name>
<label label>
<matching ip_prefix>
<multicast>
<vpn vpn>

Display the Routing Engine's forwarding table, including the network-layer prefixes
and their next hops. This command is used to help verify that the routing protocol
process has relayed the correction information to the forwarding table. The Routing
Engine constructs and maintains one or more routing tables. From the routing tables,
the Routing Engine derives a table of active routes, called the forwarding table.
noneDisplay the routes in the forwarding table.
detail | extensive | summary(Optional) Display the specified level of output.
ccc(Optional) Display the specified circuit cross-connect interface name for entries
to match.
destination (Optional) Display the destination prefix.
family family-name (Optional) Display routing table entries for the specified family:
inet, inet6, iso, mpls.
label label (Optional) Display route entries for the specified label name.
matching ip_prefix (Optional) Display route entries for the specified IP prefix.
multicast(Optional) Display route entries for multicast routes.
vpn vpn (Optional) Display route entries for the specified VPN.
Related Topics
1564
view
show
show
show
show
route
route
route
route
forwarding-table
forwarding-table
forwarding-table
forwarding-table
on page 1566
summary on page 1567
ccc on page 1568
show
show
show
show
Output Fields
route
route
route
route
forwarding-table
forwarding-table
forwarding-table
forwarding-table
family on page 1568

label on page 1569
matching on page 1569
multicast on page 1569
Table 211 on page 1565 lists the output fields for the show route forwarding-table
Field names might be abbreviated (as shown in parentheses) when no level of output
is specified or when the detail keyword is used instead of the extensive keyword.
Table 211: show route forwarding-table Output Fields

Field Name
Field Description
Level of Output
Routing table
Name of the routing table (for example, inet, inet6, mpls).
All levels
Address family
Address family (for example, IP, IPv6, ISO, MPLS).
All levels
Destination
Destination of the route.
detail, extensive
Route Type (Type)
How the route was placed into the forwarding table. When the detail keyword
is used, the route type might be abbreviated (as shown in parentheses):
All levels
cloned (clon)(TCP or multicast only) Cloned route.
destination (dest)Remote addresses directly reachable through an
interface.
destination down (iddn)Destination route for which the interface is
unreachable.
interface cloned (ifcl)Cloned route for which the interface is unreachable.
route down (ifdn)Interface route for which the interface is unreachable.
ignore (ignr)Ignore this route.
interface (intf)Installed as a result of configuring an interface.
permanent (perm)Routes installed by the kernel when the routing table
is initialized.
userRoutes installed by the routing protocol process or as a result of the
configuration.
Route reference
(RtRef)
Number of routes to reference.
detail, extensive
Flags
Route type flags:
extensive
Nexthop
noneNo flags are enabled.
accountingRoute has accounting enabled.
cachedCache route.
incoming-iface interface-number Check against incoming interface.
prefix load balanceLoad balancing is enabled for this prefix.
sent to PFERoute has been sent to the Packet Forwarding Engine.
staticStatic route.
IP address of the next hop to the destination.
detail, extensive
1565
Table 211: show route forwarding-table Output Fields (continued)

Field Name
Field Description
Level of Output
Next hop type (Type)
Next-hop type. When the detail keyword is used, the next-hop type might be
abbreviated (as indicated in parentheses):
detail, extensive
broadcast (bcst)Broadcast.
denyDeny.
holdNext hop is waiting to be resolved into a unicast or multicast type.
indexed (idxd)Indexed next hop.
indirect (indr)Indirect next hop.
local (locl)Local address on an interface.
routed multicast (mcrt)Regular multicast next hop
multicast (mcst)Wire multicast next hop (limited to the LAN).
multicast discard (mdsc)Multicast discard.
multicast group (mgrp) Multicast group member.
receive (recv)Receive.
reject (rjct) Discard. An ICMP unreachable message was sent.
resolve (rslv)Resolving the next hop.
unicast (ucst)Unicast.
unilist (ulst)List of unicast next hops. A packet sent to this next hop goes
to any next hop in the list.

Index
Software index of the next hop that is used to route the traffic for a given prefix.
detail, extensive none
Route
interface-index
Logical interface index from which the route is learned. For example, for
interface routes, this is the logical interface index of the route itself. For static
routes, this field is zero. For routes learned through routing protocols, this is
the logical interface index from which the route is learned.
extensive
Reference (NhRef)
Number of routes that refer to this next hop.
none detail, extensive
Next-hop interface
(Netif)
Interface used to reach the next hop.
none detail, extensive
show route
forwarding-table
user@switch> show route forwarding-table

Internet:
Destination
Type RtRef Next hop
default
user
2 0:12:f2:21:cf:0
default
perm
0
0.0.0.0/32
perm
0
2.2.2.0/24
intf
0
2.2.2.0/32
dest
0 2.2.2.0
2.2.2.1/32
dest
0 0:21:59:cc:89:c0
2.2.2.2/32
intf
0 2.2.2.2
2.2.2.2/32
dest
0 2.2.2.2
2.2.2.255/32
dest
0 2.2.2.255
3.3.3.0/24
intf
0
3.3.3.0/32
dest
0 3.3.3.0
3.3.3.1/32
intf
0 3.3.3.1
3.3.3.1/32
dest
0 3.3.3.1
1566

ucst
333
5 me0.0
rjct
36
2
dscd
34
1
rslv 1309
1 ae0.0
recv 1307
1 ae0.0
ucst 1320
1 ae0.0
locl 1308
2
locl 1308
2
bcst 1306
1 ae0.0
rslv 1313
1 ae1.0
recv 1311
1 ae1.0
locl 1312
2
locl 1312
2
3.3.3.2/32
3.3.3.255/32
4.4.4.0/24
8.8.8.8/32
9.9.9.9/32
10.10.10.10/32
10.93.8.0/21
10.93.8.0/32
10.93.13.238/32
10.93.13.238/32
10.93.15.254/32
10.93.15.255/32
14.14.14.0/24
14.14.14.0/32
14.14.14.2/32
14.14.14.2/32
14.14.14.2/32
14.14.14.255/32
224.0.0.0/4
224.0.0.1/32
224.0.0.5/32
255.255.255.255/32
dest
dest
user
user
intf
user
intf
dest
intf
dest
dest
dest
ifdn
iddn
user
intf
iddn
iddn
perm
perm
user
perm
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0:21:59:cc:89:c1
3.3.3.255
3.3.3.2
3.3.3.2
9.9.9.9
3.3.3.2
ucst
bcst
ucst
ucst
locl
ucst
rslv
recv
locl
locl
ucst
bcst
rslv
recv
rjct
locl
locl
bcst
mdsc
mcst
mcst
bcst
10.93.8.0
10.93.13.238
10.93.13.238
0:12:f2:21:cf:0
10.93.15.255
14.14.14.0
14.14.14.2
14.14.14.2
14.14.14.255
224.0.0.1
224.0.0.5
show route
forwarding-table
summary
user@switch> show route forwarding-table summary
show route
forwarding-table
extensive
user@switch> show route forwarding-table summary
1321
1310
1321
1321
1280
1321
323
321
322
322
333
320
1319
1317
36
1318
1318
1316
35
31
31
32
24
1
24
24
1
24
1
1
2
2
5
1
1
1
2
2
2
1
1
3
3
1
ae1.0
ae1.0
ae1.0
ae1.0
ae1.0
me0.0
me0.0
me0.0
me0.0
ge-0/0/25.0
ge-0/0/25.0
ge-0/0/25.0

Internet:
user:
6 routes
perm:
5 routes
intf:
8 routes
dest:
12 routes
ifdn:
1 routes
iddn:
3 routes
Routing table: default.inet [Index 0]

Internet:
Destination: default
Route type: user
Route reference: 2
Flags: sent to PFE, rt nh decoupled
Nexthop: 0:12:f2:21:cf:0
Next-hop type: unicast
Next-hop interface: me0.0
Route interface-index: 0
Index: 333
Reference: 5
Destination: default
Route type: permanent
Route reference: 0
Flags: none
Next-hop type: reject
Destination: 0.0.0.0/32
Route type: permanent
Route reference: 0
Flags: sent to PFE
Next-hop type: discard
Index: 36
Index: 34
Reference: 2
Reference: 1
Route type: interface
1567
Route reference: 0
Flags: sent to PFE
Next-hop type: resolve
Next-hop interface: ae0.0
Route type: destination
Route reference: 0
Flags: sent to PFE
Nexthop: 2.2.2.0
Next-hop type: receive
Route reference: 0
Flags: sent to PFE
Nexthop: 0:21:59:cc:89:c0
Next-hop type: unicast
Route type: interface
Route reference: 0
Flags: sent to PFE
Nexthop: 2.2.2.2
Next-hop type: local
Route reference: 0
Flags: none
Nexthop: 2.2.2.2
Next-hop type: local
Route reference: 0
Flags: sent to PFE
Nexthop: 2.2.2.255
Next-hop type: broadcast
show route
forwarding-table ccc
show route
forwarding-table family
Index: 1309
Reference: 1
Index: 1307
Reference: 1
Index: 1320
Reference: 1
Index: 1308
Reference: 2
Index: 1308
Reference: 2
Index: 1306
Reference: 1
user@switch> show route forwarding-table ccc ge-0/0/0.10

Routing table: default.mpls
MPLS:
Destination
Type RtRef Next hop
ge-0/0/0.10 (CCC) user
0 3.3.3.2
Push 300112 1343
2 ae1.0
user@switch> show route forwarding-table family mpls
MPLS:
Destination
Type RtRef Next hop
default
perm
0
0
user
0
1
user
0
2
user
0
299776
user
0
299792
user
0
299808
user
0
1568

dscd
50
1
recv
49
3
recv
49
3
recv
49
3
Pop
1334
2 ge-0/0/0.10
Pop
1339
2 ge-0/0/0.14
Pop
1341
2 ge-0/0/0.2
299824
299840
299856
299872
299888
299904
299920
299936
299952
299968
299984
300000
300016
300032
300048
300064
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.5
ge-0/0/0.7
ge-0/0/0.8
ge-0/0/0.9
ge-0/0/0.10
ge-0/0/0.11
ge-0/0/0.12
ge-0/0/0.13
ge-0/0/0.14
ge-0/0/0.15
ge-0/0/0.16
ge-0/0/0.17
ge-0/0/0.18
ge-0/0/0.19
ge-0/0/0.20
show route
forwarding-table label
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
(CCC)
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
user
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
3.3.3.2
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Pop
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
Push
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
300064
299872
299792
300016
299824
299920
299840
299888
300112
299776
299952
300096
299984
299936
299808
300000
300032
299904
299856
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1340
1328
1323
1337
1325
1331
1326
1329
1343
1322
1333
1342
1335
1332
1324
1336
1338
1330
1327
ge-0/0/0.11
ge-0/0/0.13
ge-0/0/0.18
ge-0/0/0.16
ge-0/0/0.7
ge-0/0/0.20
ge-0/0/0.19
ge-0/0/0.17
ge-0/0/0.9
ge-0/0/0.1
ge-0/0/0.12
ge-0/0/0.8
ge-0/0/0.4
ge-0/0/0.5
ge-0/0/0.3
ge-0/0/0.15
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
2 ae1.0
user@switch> show route forwarding-table label 29976

MPLS:
Destination
Type RtRef Next hop
299776
user
0

Pop
1334
2 ge-0/0/0.10
show route
forwarding-table
matching
user@switch> show route forwarding-table matching 3
show route
forwarding-table
multicast
user@switch> show route forwarding-table multicast

Internet:

Internet:
Destination
Type RtRef Next hop
224.0.0.0/4
perm
1
224.0.0.1/32
perm
0 224.0.0.1
224.0.0.5/32
user
1 224.0.0.5

mdsc
35
1
mcst
31
3
mcst
31
3
Routing table: __master.anon__.inet

Internet:
Destination
Type RtRef Next hop
224.0.0.0/4
perm
0

mdsc 1289
1
1569
224.0.0.1/32
perm
0 224.0.0.1
Routing table: default.inet6

Internet6:
Destination
Type RtRef Next hop
ff00::/8
perm
0
ff02::1/128
perm
0 ff02::1
1570
mcst
1285

mdsc
43
1
mcst
39
1
show mpls interface

Syntax
Release Information
Description

Related Topics

Output Fields
show mpls interface

Display information about MPLS-enabled interfaces. MPLS is enabled on an interface
when the interface is configured with both the set protocols mpls interface
interface-name and set interfaces interface-name unit 0 family mpls commands.
view
show mpls interface on page 1571

Table 212 on page 1571 describes the output fields for the show mpls interface
Table 212: show mpls interface Output Fields
show mpls interface
Field Name
Field Description
Interface
State
State of the interface: Up or Dn (down).
Administratively assigned colors of the link.
user@switch> show mpls interface

Interface
State
so-1/0/0.0 Up
Blue Yellow Red
show mpls interface
1571
show rsvp session

Syntax
Release Information
Description
Options
show rsvp session

<bidirectional | unidirectional>
<down | up>
<lsp-type>
<name session-name>
<session-type>
<statistics>
<te-link te-link>

Display information about Resource Reservation Protocol (RSVP) sessions.
noneDisplay standard information about all RSVP sessions.
bidirectional | unidirectional(Optional) Display information about bidirectional or
unidirectional RSVP sessions only, respectively.

down | up(Optional) Display only LSPs that are inactive or active, respectively.
interface interface-name (Optional) Display RSVP sessions for the specified interface
only.
lsp-type (Optional) Display information about RSVP sessions with regard to LSPs:
bypassSessions used for bypass LSPs.
lspSessions used to set up LSPs.
nolspSessions not used to set up LSPs.
name session-name (Optional) Display information about the named session.

session-type (Optional) Display information about a particular session type:
egressSessions that terminate on this switch.
ingressSessions that originate from this switch.
transitSessions that transit through this switch.
statistics(Optional) Display packet statistics.

te-link te-link (Optional) Display sessions with reservations on the specified
traffic-engineered link name.

1572
view
show rsvp session
Related Topics

Output Fields
show
show
show
show
rsvp
rsvp
rsvp
rsvp
session
session
session
session
on page 1574
statistics on page 1575
detail on page 1575
Table 213 on page 1573 describes the output fields for the show rsvp session command.
Table 213: show rsvp session Output Fields

Field Name
Field Description
Level of Output
Ingress RSVP
Information about ingress RSVP sessions.
detail
Ingress RSVP
Information about ingress RSVP sessions. Each session has one line of output.
All levels
Egress RSVP
Information about egress RSVP sessions.
All levels
Transit RSVP
Information about the transit RSVP sessions.
All levels
To
Destination (egress switch) of the session.
All levels
From
Source (ingress switch) of the session.
All levels
State
State of the path: Up, Down, or AdminDn. AdminDn indicates that the LSP is being
taken down gracefully.
All levels
Address
Destination (egress switch) of the LSP.
detail
LSPstate
State of the LSP that is being handled by this RSVP session. It can be either
Up, Dn (down), or AdminDn. AdminDn indicates that the LSP is being taken down
gracefully.
brief, detail
Rt
Number of active routes (prefixes) that have been installed in the routing table.
For ingress RSVP sessions, the routing table is the primary IPv4 table (inet.0).
For transit and egress RSVP sessions, the routing table is the primary MPLS table
mpls.0).
brief
ActiveRoute
Number of active routes (prefixes) that have been installed in the forwarding
table. For ingress RSVP sessions, the forwarding table is the primary IPv4 table
(inet.0). For transit and egress RSVP sessions, the forwarding table is the primary
MPLS table (mpls.0).
detail
LSPname
Name of the LSP.
brief, detail
LSPpath
Indicates whether the RSVP session is for the primary or secondary LSP path.
LSPpath can be either primary or secondary and can be displayed on the ingress,
egress, and transit switches. LSPpath can also indicate when a graceful LSP
deletion has been triggered.
detail
show rsvp session
1573
Table 213: show rsvp session Output Fields (continued)

Field Name
Field Description
Level of Output
Recovery label
received
(When LSP is bidirectional) Label the upstream node suggests for use in the
Resv message that is sent.
detail
Recovery label sent
(When LSP is bidirectional) Label the downstream node suggests for use in its
Resv messages that is returned.
detail
Suggested label
received
(When LSP is bidirectional) Label the upstream node suggests for use in the
Resv message that is sent.
detail
Suggested label
sent
(When LSP is bidirectional) Label the downstream node suggests for use in its
Resv message that is returned.
detail
Resv style or Style
RSVP reservation style. This field consists of two parts. The first is the number
of active reservations. The second is the reservation style, which can be FF
(fixed filter), SE (shared explicit), or WF (wildcard filter).
brief detail
Label in
Incoming label for this LSP.
brief, detail
Label out
Outgoing label for this LSP.
brief, detail
Time left
Number of seconds remaining in the lifetime of the reservation.
brief, detail
Since
Date and time when the RSVP session was initiated.
detail
Tspec
Sender's traffic specification, which describes the sender's traffic parameters.
detail
Port number
Protocol ID and sender/receiver port used in this RSVP session.
detail
Creating backup
LSP, link down
A link down event occurred, and traffic is being switched over to the bypass
LSP.
extensive
Deleting backup
LSP, protected LSP
restored
Link has come back up and the LSP has been restored. Because the backup
LSP is no longer needed, it is deleted.
extensive
PATH rcvfrom
Address of the previous-hop (upstream) switch or client, interface the neighbor

used to reach this switch, and number of packets received from the
upstream neighbor.
detail
show rsvp session
user@switch> show rsvp session

To
From
State
10.255.245.214 10.255.245.212 AdminDn 0 1 FF
22293 LSP Bidir
To
From
State Rt Style Labelin Labelout LSPname
10.255.245.194 10.255.245.195 Up
0 1 FF
39811
- Gpro3-ba Bidir
10.255.245.194 10.255.245.195 Up
0 1 FF
3
- pro3-ba
To
From
1574
show rsvp session
State Rt Style Labelin Labelout LSPname
10.255.245.198 10.255.245.197 Up
show rsvp session

statistics
show rsvp session detail
show rsvp session

extensive
1 SE
user@switch> show rsvp session statistics

To
From
State
Packets
10.255.245.24
10.255.245.22
Up
0
10.255.245.24
10.255.245.22
Up
44868
To
From
State
Packets
10.255.245.22
10.255.245.24
Up
0
10.255.245.22
10.255.245.24
Up
0
100000
3 pro3-de
Bytes
0
2333136
LSPname
pro3-bd
pro3-bd-2
Bytes
0
0
LSPname
pro3-db
pro3-db-2
user@switch> show rsvp session detail

1.1.1.1
From: 2.2.2.2, LSPstate: Up, ActiveRoute: 0
LSPname: to-a, LSPpath: Primary
Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 3
Resv style: 1 FF, Label in: -, Label out: 3
Time left:
-, Since: Fri Mar 26 18:42:42 2004
Tspec: rate 300kbps size 300kbps peak Infbps m 20 M 1500
DiffServ info: diffServ-TE LSP, bandwidth: <ct1 300kbps>
Port number: sender 1 receiver 15876 protocol 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
PATH sentto: 192.168.37.16 (t1-0/2/1.0) 1 pkt
user@switch> show rsvp session extensive

8.8.8.8
From: 9.9.9.9, LSPstate: Up, ActiveRoute: 0
LSPname: lsp_to_240, LSPpath: Primary
Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 322832
Resv style: 1 FF, Label in: -, Label out: 322832
Time left:
-, Since: Thu Feb 26 16:25:39 2009
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 2 receiver 44542 protocol 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 3.3.3.2 (xe-0/1/0.0) 238 pkts
RESV rcvfrom: 3.3.3.2 (xe-0/1/0.0) 234 pkts
Explct route: 3.3.3.2 4.4.4.2
show rsvp session
1575
1576
show rsvp session
Part 17
Understanding Network Monitoring on page 1579
Configuring Network Monitoring on page 1583
Verifying Network Monitoring on page 1593
Understanding Port Mirroring on page 1595
Examples of Configuring Port Mirroring on page 1599
Configuring Port Mirroring on page 1613
Configuration Statements for Port Mirroring on page 1619
Operational Mode Commands for Port Mirroring on page 1633
Understanding sFlow Technology on page 1635
Example of sFlow Technology Configuration on page 1637
Configuring sFlow Technology on page 1643
Configuration Statements for sFlow Technology on page 1645
Operational Mode Commands for sFlow Technology on page 1657
Understanding Ethernet OAM Link Fault Management on page 1661
Example of Ethernet OAM Link Fault Management Configuration on page 1663
Configuring Ethernet OAM Link Fault Management on page 1667
Configuration Statements for Ethernet OAM Link Fault Management on page 1671
Operational Mode Commands for Ethernet OAM Link Fault

Management on page 1689
Configuration Statements for Network Management on page 1695
1577
1578
Chapter 87
Understanding Real-Time Performance Monitoring on EX Series

Understanding Real-Time Performance Monitoring on EX Series Switches

Real-time performance monitoring (RPM) enables you to configure active probes to
track and monitor traffic across the network and investigate network problems. You
can use RPM with Juniper Networks EX Series Ethernet Switches.
The ways in which you can use RPM include:
Monitor time delays between devices.
Monitor time delays at the protocol level.
Set thresholds to trigger SNMP traps when values are exceeded.

You can configure thresholds for round-trip time, ingress or egress delay, standard
deviation, jitter, successive lost probes, and total lost probes per test. (SNMP trap
results are stored in pingResultsTable, jnxPingResultsTable,
jnxPingProbeHistoryTable, and pingProbeHistoryTable.)
Determine automatically whether a path exists between a host router or switch

and its configured Border Gateway Protocol (BGP) neighbors. You can view the
results of the discovery using an SNMP client.
Use the history of the most recent 50 probes to analyze trends in your network
and predict future needs.
RPM provides MIB support with extensions for RFC 2925, Definitions of Managed
Objects for Remote Ping, Traceroute, and Lookup Operations.
This topic includes:
RPM Packet Collection on page 1580
Tests and Probe Types on page 1580
Hardware Timestamps on page 1580
Limitations of RPM on page 1582
1579
RPM Packet Collection

Probes collect packets per destination and per application, including PING Internet
Control Message Protocol (ICMP) packets, User Datagram Protocol and Transmission
Control Protocol (UDP/TCP) packets with user-configured ports, user-configured
Differentiated Services code point (DSCP) type-of-service (ToS) packets, and Hypertext
Transfer Protocol (HTTP) packets.
Tests and Probe Types

A test can contain multiple probes. The probe type specifies the packet and protocol
contents of the probe.
EX Series switches support the following tests and probe types:
Ping tests:
ICMP echo probe
ICMP timestamp probe
HTTP tests:
HTTP get probe (not available for BGP RPM services)
HTTP get metadata probe
UDP and TCP tests with user-configured ports:
UDP echo probe
TCP connection probe
UDP timestamp probe
Hardware Timestamps
To account for latency in the communication of probe messages, you can enable
timestamping of the probe packets (hardware timestamps). If hardware timestamps
are not configured, then timers are generated at the software level and are less
accurate than they would have been with hardware timestamps.
NOTE: EX Series switches support hardware timestamps for UDP and ICMP probes.
EX Series switches do not support hardware timestamps for HTTP or TCP probes.
You should configure both the requester and the responder (see Figure 80 on page
1581) to timestamp the RPM packets in order to get more meaningful results. If you
do not configure timestamps on the responder, for example, if the responder does
not support hardware timestamps, RPM can only report round-trip measurements
that include the processing time on the responder.
1580
Chapter 87: Understanding Network Monitoring
NOTE: Hardware timestamps are supported on all EX Series switches and on the
Adaptive Services and MultiServices PICs for M-series and T-series routing platforms.
Figure 80 on page 1581 shows the timestamps:
Figure 80: RPM Timestamps
T1 is the time the packet leaves the requester port.
T2 is the time the responder receives the packet.
T3 is the time the responder sends the response.
T4 is the time the requester receives the response.
The round-trip time is (T2 T1) + (T4 T3). If the responder does not support
hardware timestamps, then the round-trip time is (T4 T1) / 2, and thus includes
the processing time of the responder.
You can use RPM probes to find the following time measurements:
Minimum round-trip time
Maximum round-trip time
Average round-trip time
Standard deviation of the round-trip time
Jitter of the round-trip timeDifference between the minimum and maximum

round-trip time
NOTE: Configure timestamps by specifying the destination interface using the

destination-interface statement at the [edit services rpm probe probe-owner test
test-name] hierarchy level on the requester. (For configuration details, see the JUNOS
Software Services Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos93.) Also, on the responder, specify
the RPM client (the requester) using the rpm client statement at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level.
1581
The RPM feature provides an additional configuration option to set one-way hardware
timestamps. Use one-way timestamps when you want information about one-way
time, rather than round-trip times, for packets to traverse the network between the
requester and the responder. As shown in Figure 80 on page 1581, one-way timestamps
represent the time T2 T1 and the time from T4 T3. Use one-way timestamps
when you want to gather information about delay in each direction and to find egress
and ingress jitter values.
NOTE: For correct one-way measurement, the clocks of the requester and responder
must be synchronized. If the clocks are not synchronized, one-way jitter
measurements and calculations can include significant variations, in some cases
orders of magnitude greater than the round-trip times.
When you enable one-way timestamps in a probe, the following one-way
measurements are reported:
Minimum, maximum, standard deviation, and jitter measurements for egress

and ingress times
Number of probes sent
Number of probe responses received
Percentage of lost probes
Two-way Active Measurement Protocol (TWAMP) is not supported on EX Series

switches.
EX Series switches do not support user-configured class-of-service (CoS) classifiers

or prioritization of RPM packets over regular data packets received on an input
interface.
Timestamps:
Limitations of RPM
Related Topics
If the responder does not support hardware timestamps, RPM can only report
the round-trip measurements and cannot calculate round-trip jitter.
EX Series switches do not support hardware timestamps for HTTP and TCP
probes.
Timestamps apply only to IPv4 traffic.
JUNOS Software Services Interfaces Configuration Guide at

1582

Monitoring Hosts Using the J-Web Ping Host Tool on page 139
Monitoring Network Traffic Using Traceroute on page 143
Chapter 88
Configuring Real-Time Performance Monitoring (J-Web Procedure) on page 1583
Configuring Real-Time Performance Monitoring (J-Web Procedure)

Real-time performance monitoring (RPM) in EX Series switches enables you to
configure and send probes to a specified target and monitor the analyzed results to
determine packet loss, round-trip time, and jitter. Jitter is the difference in relative
transit time between two consecutive probes. You can set up probe owners and
configure one or more performance probe tests under each probe owner.
The ways in which you can use RPM include:
Monitor time delays between devices.
Monitor time delays at the protocol level.
Set thresholds to trigger SNMP traps when threshold values are exceeded. You
can configure thresholds for round-trip time, ingress or egress delay, standard
deviation, jitter, successive lost probes, and total lost probes per test.
Determine automatically whether a path exists between a host switch and its
configured Border Gateway Protocol (BGP) neighbors. You can view the results
of the discovery using an SNMP client.
Use the history of the most recent 50 probes to analyze trends in your network
and predict future needs.
Probes collect packets per destination and per application, including PING Internet
Control Message Protocol (ICMP) packets, User Datagram Protocol and Transmission
Control Protocol (UDP/TCP) packets with user-configured ports, user-configured
Differentiated Services code point (DSCP) type-of-service (ToS) packets, and Hypertext
Transfer Protocol (HTTP) packets.
EX Series switches support the following tests and probe types:
Ping tests:
ICMP echo
ICMP timestamp
HTTP tests:
1583
HTTP get (not available for BGP RPM services)
UDP and TCP tests with user-configured ports:
UDP echo
TCP connection
UDP timestamp
To account for latency in the communication of probe messages, you can enable
timestamping of the probe packets. You should configure both the requester and the
responder to timestamp the RPM packets. The RPM features provides an additional
configuration option to set one-way hardware timestamps. Use one-way timestamps
when you want information about one-way, rather than round-trip, times for packets
to traverse the network between the requester and the responder.
NOTE:
EX Series switches support hardware timestamps for UDP and ICMP probes. EX
Series switches do not support hardware timestamps for HTTP or TCP probes.
If the responder does not support hardware timestamps, RPM can only report
the round-trip measurements, it cannot calculate round-trip jitter.
In EX Series switches timestamps apply only to IPv4 traffic.
To configure RPM using the J-Web interface:
1584
1.
Select Troubleshoot > RPM > Configure RPM .
2.
In the Configure RPM page, enter information as specified in Table 214 on page
1585.
a.
Click Add to set up the Owner Name and Performance Probe Tests.
b.
Select a probe owner from Probe Owners list and click Delete to remove the
selected probe owner
c.
Double-click one of the probe owners in Probe Owners list to display the list
of performance probe tests.
d.
Double-click one of the performance probe tests to edit the test parameters.
3.
Enter the Maximum Number of Concurrent Probes and specify the Probe Servers.
4.
Click Apply to apply the RPM probe settings.
Chapter 88: Configuring Network Monitoring
Table 214: RPM Probe Owner, Concurrent Probes, and Probe Servers Configuration Fields
Field
Function
Your Action
Probe Owners
Identifies a owner for whom one or more

RPM tests are configured. In most
implementations, the owner name
identifies a network on which a set of
tests is being run.
1.
Click Add and type an owner name.
2.
In Performance Probe Tests, click

Add to define the RPM test
parameters. See Table 215 on page
1585 for information on configuring
RPM test parameters.
3.
Click OK to save the settings or

Cancel to exit from the window
without saving the changes.
Maximum Number of Concurrent Probes
Specifies the maximum number of

concurrent probes allowed.
Type a number from 1 through 500.
Probe Servers
Specifies the servers that act as receivers

and transmitters for the probes.
Set up the following servers:
TCP Probe ServerSpecifies the

port on which the device is to
receive and transmit TCP probes.
Type the number 7 (a standard TCP
port number) or a port number
UDP Probe ServerSpecifies the

port on which the device is to
receive and transmit UDP probes.
Type the number 7 (a standard TCP
port number) or a port number
Table 215: Performance Probe Tests Configuration Fields

Field
Function
Your Action
Test Name
Identifies the RPM test.
Type a test name.
Target (Address or URL)
Specifies the IP address or the URL of

the probe target.
Type the IP address in dotted decimal

notation or the URL of the probe target.
If the target is a URL, type a fully formed
URL that includes http://.
Source Address
Specifies the IP address to be used as the

probe source address.
Type the source address to be used for

the probe. If you do not supply this
value, the packet uses the outgoing
interface's address as the probe source
address.
Routing Instance
Specifies the routing instance over which

the probe is sent.
Type the routing instance name. The

routing instance applies only to icmp-ping
and icmp-ping-timestamp probe types. The
default routing instance is inet.0.
Identification
1585
Table 215: Performance Probe Tests Configuration Fields (continued)

Field
Function
Your Action
History Size
Specifies the number of probe results to

be saved in the probe history.
Type a number from 0 through 255. The

default history size is 50.
1586

Field
Function
Your Action
1587

Field
Function
Your Action
Specifies the type of probe to send as

part of the test.
Select a probe type from the list:
Request Information
Probe Type
http-get
http-get-metadata
icmp-ping
icmp-ping-timestamp
tcp-ping
udp-ping
udp-ping-timestamp
Interval
Sets the wait time (in seconds) between

probe transmissions.
Type a number from 1 through 255 .
Test Interval
Sets the wait time (in seconds) between

tests.
Type a number from 0 through 86400 .
Probe Count
Sets the total number of probes to be

sent for each test.
Moving Average Size
Specifies the number of samples to be

used in the statistical calculation
operations to be performed across a
number of the most recent samples.
Destination Port
Specifies the TCP or UDP port to which

probes are sent.
Type the number 7 (a standard TCP or

UDP port number) or a port number
To use TCP or UDP probes, you must

configure the remote server as a probe
receiver. Both the probe server and the
remote server must be Juniper Networks
network devices configured to receive
and transmit RPM probes on the same
TCP or UDP port.
DSCP Bits
Specifies the Differentiated Services code

point (DSCP) bits. This value must be a
valid 6-bit pattern.
Type a valid 6-bit pattern.
Data Size
Specifies the size (in bytes) of the data

portion of the ICMP probes.
Data Fill
Specifies the hexadecimal value of the

data portion of the ICMP probes.
Type a hexadecimal value from 1h

through 800h .
One Way Hardware Timestamp
Enables one-way hardware timestamp.
To enable timestamping, select the check

box.
Destination Interface
Enables hardware timestamp on the

Select an interface from the list.
Hardware Timestamp
1588

Field
Function
Your Action
Successive Lost Probes
Sets the number of probes that can be

lost successively, if exceeded, triggers a
probe failure and generates a system log
message.
Lost Probes
Sets the number of probes that can be

lost , if exceeded, triggers a probe failure
and generates a system log message.
Round Trip Time
Sets the round-trip time (in

microseconds), from the switch to the
remote server, if exceeded, triggers a
message.
Type a number from 0 through

60000000.
Jitter
Sets the jitter (in microseconds), if

exceeded, triggers a probe failure and
generates a system log message.

60000000.
Standard Deviation
Sets the maximum allowable standard

deviation (in microseconds), if exceeded,
triggers a probe failure and generates a
system log message.

60000000.
Egress Time
Sets the one-way time (in microseconds),

from the switch to the remote server, if

60000000.
Ingress Time
Sets the one-way time (in microseconds),

from the remote server to the switch, if

60000000 (microseconds).
Jitter Egress Time
Sets the outbound-time jitter (in

microseconds), if exceeded triggers a
message.

60000000.
Jitter Ingress Time
Sets the inbound-time jitter (in

microseconds), if exceeded, triggers a
message.
Type a number from 0 and 60000000.
Egress Standard Deviation

deviation of outbound times (in
message.

60000000.
Maximum Probe Thresholds
1589

Field
Function
Your Action
Ingress Standard Deviation

deviation of inbound times (in
message.

60000000.
Generates SNMP traps when the

threshold for jitter in outbound time is
exceeded.
To enable SNMP traps for this

condition, select the check box.
To disable SNMP traps, clear the

check box.

threshold for standard deviation in
outbound times is exceeded.


check box.

threshold for maximum outbound time
is exceeded.


check box.

threshold for jitter in inbound time is
exceeded.


check box.

inbound times is exceeded.


check box.

threshold for maximum inbound time is
exceeded.


check box.

threshold for jitter in round-trip time is
exceeded.


check box.

threshold for the number of successive
lost probes is exceeded.


check box.

threshold for maximum round-trip time
is exceeded.


check box.
Traps
Egress Jitter Exceeded
Egress Standard Deviation Exceeded
Egress Time Exceeded
Ingress Jitter Exceeded
Ingress Standard Deviation Exceeded
Ingress Time Exceeded
Jitter Exceeded
Probe Failure
RTT Exceeded
1590

Field
Function
Your Action
Standard Deviation Exceeded

round-trip times is exceeded.


check box.
Generates SNMP traps when a test is

completed.


check box.


check box.
Test Completion
Test Failure
Related Topics

threshold for the total number of lost
probes is exceeded.
Viewing Real-Time Performance Monitoring Information on page 1593
1591
1592
Chapter 89
Verifying Network Monitoring
Viewing Real-Time Performance Monitoring Information on page 1593
Viewing Real-Time Performance Monitoring Information

Real-time performance monitoring (RPM) on EX Series switches enables you to
configure and send probes to a specified target and monitor the analyzed results to
determine packet loss, round-trip time, and jitter. The J-Web interface provides a
graphical view of RPM information for EX Series switches.
To view the RPM information using the J-Web interface:
Related Topics
1.
Select Troubleshoot>RPM>View RPM.
2.
Select the Round Trip Time check box to display the graph with round-trip time
included. Clear the check-box to view the graph without the round-trip time.
3.
From the Refresh Time list, select a refresh time interval for the graph.
Configuring Real-Time Performance Monitoring (J-Web Procedure) on page 1583
1593
1594
Chapter 90
Port Mirroring on EX Series Switches Overview

Use port mirroring to facilitate analyzing traffic on your switch on a packet level. Use
port mirroring as part of monitoring switch traffic for such purposes as enforcing
policies concerning network usage and file sharing, and identifying sources of
problems on your network by locating abnormal or heavy bandwidth usage from
particular stations or applications.
Port mirroring copies packets entering or exiting an interface, or entering a VLAN in
a Juniper Networks EX3200 or EX4200 Ethernet Switch or exiting a VLAN in a Juniper
Networks EX8200 Ethernet Switch, to either a local interface for local monitoring or
to a VLAN for remote monitoring.
Port Mirroring Overview on page 1595
Port Mirroring Terminology on page 1597
Port Mirroring Overview

Port mirroring is needed for traffic analysis on a switch because a switch, unlike a
hub, does not broadcast packets to every port on the device. The switch sends packets
only to the port to which the destination device is connected. You configure port
mirroring on the switch to send copies of unicast traffic to either a local analyzer
interface or an analyzer VLAN. Then you can analyze the mirrored traffic using a
protocol analyzer application. The protocol analyzer application can run either on a
computer connected to the analyzer output interface or on a remote monitoring
station.
We recommend that you disable port mirroring when you are not using it, and select
specific interfaces as input to the port mirror analyzer in preference to using the all
keyword. You can also limit the amount of mirrored traffic by using statistical
sampling, setting a ratio to select a statistical sample, or using a firewall filter.
Mirroring only the necessary packets reduces any potential performance impact.
With local port mirroring, traffic from multiple ports is replicated to the analyzer
output interface. If the output interface for an analyzer reaches capacity, packets are
dropped. You should consider whether the traffic being mirrored exceeds the capacity
of the analyzer output interface.
1595
You can use port mirroring on a Juniper Networks EX Series Ethernet Switch to mirror
any of the following:
Packets entering or exiting a portIn any combination. For example, you can
send copies of the packets entering some ports and the packets exiting other
ports to the same local analyzer port or analyzer VLAN.
Packets entering or exiting a Layer 3 portIn any combination. For example,

you can send copies of the packets entering some ports and the packets exiting
other ports to the same local analyzer port or analyzer VLAN.
Packets entering a VLAN in an EX3200 or EX4200 switchYou can mirror

the packets entering a VLAN in an EX3200 or EX4200 switch to either a local
analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to
256), including a VLAN range and PVLANs, as ingress input to an analyzer.
Packets exiting a VLAN in an EX8200 switchYou can mirror the packets

exiting a VLAN in an EX8200 switch to either a local analyzer port or to an
analyzer VLAN. You can configure multiple VLANs (up to 256), including a VLAN
range and PVLANs, as egress input to an analyzer.
Statistical sampleSample of the packets entering or exiting a port or entering

a VLAN in an EX3200 or EX4200 switch or exiting a VLAN in an EX8200 switch.
Specify the sample number of packets by setting the ratio. You can send the
sample of packets to either a local analyzer port or to an analyzer VLAN.
Policy-based sampleSample of packets entering a port or entering a VLAN in

an EX3200 or EX4200 switch or exiting a VLAN in an EX8200 switch. You can
configure a firewall filter to establish a policy to select certain packets. You can
send the sampled packets to a local analyzer interface or to an analyzer VLAN.
NOTE: Juniper Networks JUNOS Software for EX Series switches implements port
mirroring differently than other JUNOS Software packages. JUNOS Software for EX
Series switches does not include the port-mirroring statement found in the edit
forwarding-options level of the hierarchy of other JUNOS Software packages, nor the
port-mirror action in firewall filter terms.
Limitations of Port Mirroring

Port mirroring on EX Series switches has the following limitations:
1596
Seven analyzers (port mirroring configurations) can be configured on a Juniper

Networks EX8208 or EX8216 Ethernet Switch.
Packets with physical layer errors are filtered out and thus are not sent to the
analyzer port or VLAN.
The following interfaces cannot be configured as input to an analyzer:
Dedicated Virtual Chassis ports (VCPs)
Management port (me0 or vme0)
Chapter 90: Understanding Port Mirroring
Port Mirroring Terminology

Table 216: Port Mirroring Terminology
Term
Description
Analyzer
A port-mirroring configuration on an EX Series switch. The analyzer includes:
Analyzer output interface

Also known as monitor interface
The name of the analyzer
Source (input) ports or VLAN (optional)
A destination for mirrored packets (either a monitor port or an analyzer VLAN)
Ratio field for specifying statistical sampling of packets (optional)
Loss-priority setting
Interface to which mirrored traffic is sent and to which a protocol analyzer application is
connected.
NOTE: Interfaces used as output for a port mirror analyzer must be configured as family
ethernet-switching.
The following limitations apply to analyzer output interfaces:
Cannot also be a source port.
Cannot be used for switching.
Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when
it is part of a port mirroring configuration.
When configured as an analyzer output interface, it loses any existing VLAN

associations.
If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from
the source ports, overflow packets are dropped.
Analyzer VLAN
VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol
analyzer application. The analyzer VLAN is spread across the switches in your network.
Also known as monitor VLAN

Firewall-based Analyzer
An analyzer session that has only an output stanza. Firewall based Analyzer has to be
used along with firewall to achieve the functionality of an analyzer.
Input interface
An interface on the switch that is being mirrored, either on traffic entering or exiting the
interface. An input interface cannot also be an output interface for an analyzer.
Also known as mirrored ports or

monitored interfaces
Mirror ratio
See statistical sampling.
Monitoring station
A computer running a protocol analyzer application.
Native analyzer session
An analyzer session that has both input and output stanzas.
Remote port mirroring
Functions the same as local port mirroring, except that the mirrored traffic is not copied
to a local analyzer port but is instead flooded into an analyzer VLAN that you create
specifically for the purpose of receiving mirrored traffic.
1597
Table 216: Port Mirroring Terminology (continued)

Term
Description
Policy-based mirroring
Mirroring of packets that match the match items in the defined firewall filter term. The
action item analyzer analyzer-name is used in the firewall filter to send the packets to the
port mirror analyzer.
Protocol analyzer application
An application used to examine packets transmitted across a network segment. Also

commonly called network analyzer, packet sniffer, or probe.
Statistical sampling
You can configure the system to mirror a sampling of the packets, by setting a ratio of
1:x, where x is a value from 1 through 2047.
For example, when the ratio is set to 1, all packets are copied to the analyzer. When the
ratio is set to 200, 1 of every 200 packets is copied.
Related Topics
1598
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX Series Switches on page 1599

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1617 or

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1613
Chapter 91



Use on EX Series Switches
EX Series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN in an EX3200 or EX4200 switch
or exiting a VLAN in an EX8200 switch, to an analyzer interface or VLAN. You can
analyze the mirrored traffic using a protocol analyzer application installed on a system
connected to the local destination interface (or a running on a remote monitoring
station if you are sending mirrored traffic to an analyzer VLAN).
This example describes how to configure an EX Series switch to mirror traffic entering
interfaces connected to employee computers to an analyzer output interface on the
same switch.
This example describes how to configure local port mirroring:
Mirroring All Employee Traffic for Local Analysis on page 1600
Mirroring Employee-to-Web Traffic for Local Analysis on page 1602
Requirements
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches
1599

This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to a destination interface on the same switch. The first example
shows how to mirror all traffic entering the ports connected to employee computers.
The second example shows the same scenario, but includes a filter to mirror only
the employee traffic going to the Web.
Network Topology
In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.
In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic.
Connect a PC running a protocol analyzer application to the analyzer output interface
to analyze the mirrored traffic.
NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped
packets.
Figure 81 on page 1600 shows the network topology for this example.
Figure 81: Network Topology for Local Port Mirroring Example
Mirroring All Employee Traffic for Local Analysis

To configure port mirroring for all employee traffic for local analysis, perform these
tasks:
1600
To quickly configure local port mirroring for ingress traffic to the two ports connected
to employee computers, copy the following commands and paste them into the
Chapter 91: Examples of Configuring Port Mirroring
[edit]
set interfaces ge-0/0/1 unit 0 family inet 192.1.1.1/24
set ethernet-switching options analyzer employeemonitor input ingress interface
ge-0/0/0.0
set ethernet-switching options analyzer employeemonitor input ingress interface
ge-0/0/1.0
set ethernet-switching options analyzer employeemonitor output interface
ge-0/0/10.0
To configure an analyzer called employee-monitor and specify the input (source)

interfaces and the analyzer output interface:
1.
Configure each interface connected to employee computers as an input interface

for the port-mirror analyzer that we are calling employee-monitor:
user@switch# set analyzer employee-monitor input ingress interface ge0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface
ge0/0/1.0
2.
Configure the output analyzer interface for the employee-monitor analyzer. This
will be the destination interface for the mirrored packets:
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
Results

[edit]
user@switch# show
analyzer employee-monitor {
input {
ingress {
}
}
output {
interface {
ge-0/0/10.0;
}
}
}
}
Mirroring All Employee Traffic for Local Analysis
1601
Mirroring Employee-to-Web Traffic for Local Analysis

To configure port mirroring for employee to web traffic, perform these tasks:
To quickly configure local port mirroring of traffic from the two ports connected to
employee computers, filtering so that only traffic to the external Web is mirrored,
copy the following commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options analyzer employeewebmonitor output interface
ge-0/0/10.0
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
then analyzer employee-web-monitor
watch-employee
watch-employee
To configure local port mirroring of employee-to-web traffic from the two ports
connected to employee computers:
1.
Configure the local analyzer interface:

[edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching
2.
Configure the employee-web-monitor analyzer output (the input to the analyzer

comes from the action of the filter):
user@switch# set analyzer employee-web-monitor output interface ge-0/0/10.0
3.
Configure a firewall filter called watch-employee to send mirrored copies of

employee requests to the Web to the employee-web-monitor analyzer. Accept all
traffic to and from the corporate subnet (destination or source address of
192.0.2.16/28). Send mirrored copies of all packets destined for the Internet
(destination port 80) to the employee-web-monitor analyzer.
user@switch# set filter watch-employee term employee-to-corp from
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from
destination-port 80
1602
user@switch# set filter watch-employee term employee-to-web then analyzer

employee-web-monitor
4.
Apply the watch-employee filter to the appropriate ports:

[edit interfaces]
watch-employee
watch-employee
Results

[edit]
user@switch# show
analyzer employee-web-monitor {
output {
}
}
}
...
firewall family ethernet-switching {
filter watch-employee {
from {
source-address 192.0.2.16/28;
}
then accept {
}
from {
}
then analyzer employee-web-monitor;
}
}
}
...
interfaces {
ge-0/0/0 {
unit 0 {
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
input watch-employee;
}
}
}
}
1603
ge-0/0/1 {
filter {
}
}
}
}
Verification
Verifying That the Analyzer Has Been Correctly Created on page 1604
Verifying That the Analyzer Has Been Correctly Created

Purpose
Action
Verify that the analyzer named employee-monitor or employee-web-monitor has been

created on the switch with the appropriate input interfaces, and appropriate output
interface.
You can verify the port mirror analyzer is configured as expected using the show
analyzer command.
user@switch> show analyzer
Analyzer name
Output interface
Mirror ratio
Loss priority
Ingress monitored interfaces
Egress monitored interfaces
Meaning
Related Topics
1604
Verification
:
:
:
:
:
:
:
employee-monitor
ge-0/0/10.0
1
Low
ge-0/0/0.0
ge-0/0/1.0
None
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every
packet, the default setting), a loss priority of low (set this option to high only when
the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0 and
ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1617
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource

Use on EX Series Switches
EX Series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN in an EX3200 or EX4200 switch
or exiting a VLAN in an EX8200 switch, to an analyzer interface or a VLAN. You can
analyze the mirrored traffic using a protocol analyzer application running on a remote
monitoring station if you are sending mirrored traffic to an analyzer VLAN.
This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to the remote-analyzer VLAN so that you can perform analysis
from a remote monitoring station. The first example shows how to mirror all traffic
entering the ports connected to employee computers. The second example shows
the same scenario, but includes a filter to mirror only the employee traffic going to
the Web.
This example describes how to configure remote port mirroring:
Mirroring All Employee Traffic for Remote Analysis on page 1606
Mirroring Employee-to-Web Traffic for Remote Analysis on page 1608
Requirements
One EX3200 or EX4200 switch connected to a distribution layer switch
One uplink module to connect to the distribution layer switch
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.
Input interfaces that are referred by the analyzer must be configured.

This topic includes two related examples that describe how to configure port mirroring
to the remote-analyzer VLAN so that analysis can be performed from a remote
monitoring station. The first example shows how to configure an EX Series switch
to mirror all traffic from employee computers. The second example shows the same
scenario, but the setup includes a filter to mirror only the employee traffic going to
the Web.
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches
1605
Figure 82: Remote Port Mirroring Example Network Topology
In this example:
Interface ge-0/0/0 is a Layer 2 interface and interface ge-0/0/1 is a Layer 3

interface that serve as connections for employee computers.
Interface ge-0/0/10 is a Layer 2 interface that connects to a distribution switch.
VLAN remote-analyzer is configured on all switches in the topology to carry the

mirrored traffic.
NOTE: The interface connected to the remote monitoring station must be a member
of VLAN remote-analyzer, and this VLAN must be configured on all switches between
the monitored switch and the monitoring station.
Mirroring All Employee Traffic for Remote Analysis

To configure port mirroring for remote traffic analysis for all incoming and outgoing
employee traffic, perform these tasks:
To quickly configure port mirroring for remote traffic analysis for incoming and
outgoing employee traffic, copy the following commands and paste them into the
[edit]
set vlans remote-analyzer vlan-id 999
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/0.0
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/1.0
set ethernet-switching-options analyzer employee-monitor input egress interface
ge-0/0/0.0
1606
set ethernet-switching-options analyzer employee-monitor input egress interface

ge-0/0/1.0
set ethernet-switching-options analyzer employeemonitor loss-priority high output
vlan remote-analyzer
To configure basic remote port mirroring:

1.
Configure the VLAN tag ID for the remote-analyzer VLAN:

[edit vlans]
user@switch# set remote-analyzer vlan-id 999
2.
Configure the interface on the uplink module connected to the distribution

switch for trunk mode and associate it with the remote-analyzer VLAN:
[edit interfaces]
trunk
999
3.
Configure the employee-monitor analyzer:

user@switch# set analyzer employeemonitor loss-priority high
ge-0/0/0.0
user@switch# set analyzer employeemonitor input ingress interface
ge-0/0/1.0
user@switch# set analyzer employeemonitor output vlan remote-analyzer
set analyzer employee-monitor input egress interface ge-0/0/0.0
set analyzer employee-monitor input egress interface ge-0/0/1.0
Results

[edit]
user@switch# show
analyzer employee-monitor {
loss-priority high;
input {
ingress {
}
egress {
}
}
output {
vlan {
remote-analyzer;
}
1607
}
}
}
Mirroring Employee-to-Web Traffic for Remote Analysis

To configure port mirroring for remote traffic analysis of employee to web traffic,
perform these tasks:
To quickly configure port mirroring to mirror employee traffic to the external Web,
copy the following commands and paste them into the terminal window:
[edit]
set ethernet-switching-options analyzer employee-web-monitor loss-priority high
output vlan 999
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk
from destination-address 192.0.2.16/28
then accept
from destination-port 80
then analyzer employeeweb-monitor
set ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee
watch-employee
To configure port mirroring of all traffic from the two ports connected to employee
computers to the remote-analyzer VLAN for use from a remote monitoring station:
1.
Configure the employee-web-monitor analyzer:

port mode trunk
user@switch# set analyzer employee-web-monitor loss-priority high output
vlan 999
2.
Configure the VLAN tag ID for the remote-analyzer VLAN:

[edit vlans]
user@switch# set remote-analyzer vlan-id 999
3.
Configure the interface to associate it with the remote-analyzer VLAN:

[edit interfaces]
999
4.
1608
Configure the firewall filter called watch-employee:

user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from
destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer
employee-web-monitor
5.
Apply the firewall filter to the employee interfaces:

[edit interfaces]
watch-employee
watch-employee
Results

[edit]
user@switch# show
interfaces {
...
ge-0/0/10 {
unit 0 {
port-mode trunk;
vlan {
members remote-analyzer;
}
}
}
}
ge-0/0/0 {
unit 0 {
filter {
}
}
}
}
ge-0/0/1 {
unit 0 {
filter {
}
}
}
}
1609
}
...
firewall {
...
filter watch-employee {
from {
source-address {
192.0.2.16/28;
}
192.0.2.16/28;
}
}
then accept;
}
from {
}
then analyzer employee-web-monitor;
}
}
}
}
analyzer employee-web-monitor {
loss-priority high;
output {
vlan {
999;
}
}
}
vlans {
remote-analyzer {
vlan-id 999;
}
}
Verification
Verifying That the Analyzer Has Been Correctly Created on page 1610

Purpose
1610
Verification
Verify that the analyzer named employee-monitor or employee-web-monitor has been

created on the switch with the appropriate input interfaces, and appropriate output
interface.
Action
You can verify the port mirror analyzer is configured as expected using the show
analyzer command. To view previously created analyzers that are disabled, go to the
J-Web interface.
user@switch> show analyzer
Analyzer name
Output VLAN
Mirror ratio
Loss priority
Meaning
Related Topics
:
:
:
:
:
:
employee-monitor
remote-analyzer
1
High
ge-0/0/0.0
ge-0/0/1.0
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every
packet, the default), a loss priority of high (set this option to high whenever the
analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1,
and sending the mirrored traffic to the analyzer called remote-analyzer.

1611
1612
Chapter 92
Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

You configure port mirroring in order to copy packets so that you can analyze traffic
using a protocol analyzer application. You can mirror traffic entering or exiting an
interface, or entering a VLAN in an EX3200 or EX4200 switch or exiting a VLAN in
an EX8200 switch. You can send the mirrored packets to a local interface to monitor
traffic locally or to a VLAN to monitor traffic remotely.
We recommend that you disable port mirroring when you are not using it and select
specific input interfaces in preference to using the all keyword. You can also limit
the amount of mirrored traffic by using a firewall filter or the ratio keyword to mirror
only a selection of packets.
NOTE: If you want to create additional analyzers without deleting the existing
analyzer, first disable the existing analyzer using the disable analyzer analyzer-name
command or the J-Web configuration page for port mirroring.
NOTE: Interfaces used as output for a port mirror analyzer must be configured as
family ethernet-switching.
Configuring Port Mirroring for Local Traffic Analysis on page 1613
Configuring Port Mirroring for Remote Traffic Analysis on page 1614
Filtering the Traffic Entering a Port Mirroring Analyzer on page 1615
Configuring Port Mirroring for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:
1.
Choose a name for the port mirroring configurationin this case,

employee-monitorand specify the inputin this case, packets entering ge-0/0/0
and ge-0/0/1:
Configuring Port Mirroring to Analyze Traffic (CLI Procedure)
1613
user@switch# set analyzer employee-monitor input ingress interface ge0/0/0.0
ge0/0/1.0
2.
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer.
You can use statistical sampling to reduce the volume of mirrored traffic, as a
high volume of mirrored traffic can be performance intensive for the switch.
3.
Configure the destination interface for the mirrored packets:

Configuring Port Mirroring for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for
analysis from a remote location:
1.
Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer
and given the ID of 999 by convention in this documentation:
[edit]
user@switch# set vlans remote-analyzer vlan-id 999
2.
Set the uplink module interface that is connected to the distribution switch to
trunk mode and associate it with the remote-analyzer VLAN:
[edit]
port-mode trunk vlan members 999
3.
Configure the analyzer:

a.
Choose a name and set the loss priority to high. Loss priority should always
be set to high when configuring for remote port mirroring:
user@switch# set analyzer employeemonitor loss-priority high
b.
Specify the traffic to be mirroredin this example the packets entering ports
ge-0/0/0 and ge-0/0/1:
1614
Configuring Port Mirroring for Remote Traffic Analysis
Chapter 92: Configuring Port Mirroring

ge-0/0/0.0
ge-0/0/1.0
c.
Specify the remote-analyzer VLAN as the output for the analyzer:

user@switch# set analyzer employee-monitor output vlan 999
4.
Optionally, you can specify a statistical sampling of the packets by ting a ratio:
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the
analyzer. You can use this to reduce the volume of mirrored traffic as a very high
volume of mirrored traffic can be performance intensive for the switch.
Filtering the Traffic Entering a Port Mirroring Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer, then use it
as the action in the firewall filter. You can use firewall filters in both local and remote
port mirroring configurations.
If the same analyzer is used in multiple filters or terms, the packets are copied to
the analyzer output port or analyzer VLAN only once.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter
can use any of the available match conditions and must have an action of analyzer
analyzer-name. The action of the firewall filter provides the input to the analyzer.
To configure port mirroring with filters:
1.
Configure the analyzer name (here, employee-monitor) and output:

a.
For local analysis, set the output to the local interface to which you will
connect the computer running the protocol analyzer application:
b.
For remote analysis, set the loss priority to high and set the output to the
remote-analyzer VLAN:
user@switch# set analyzer employeemonitor loss-priority high output vlan
999
1615
2.
Create a firewall filter using any of the available match conditions and specify
the action as analyzer employee-monitor:
This step shows a firewall filter called example-filter, with two terms:
a.
Create the first term to define the traffic that should not pass through to the
analyzer:
user@switch# set filter example-filter term no-analyzer from source-address
ipaddress
user@switch# set filter example-filter term no-analyzer from
destination-address ip-address
user@switch# set filter example-filter term no-analyzer then accept
b.
Create the second term to define the traffic that should pass through to the
analyzer:
user@switch# set filter example-filter term to-analyzer from
destination-port 80
user@switch# set filter example-filter term to-analyzer then analyzer
employeemonitor
3.
Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
[edit]
filter input example-filter
[edit]
user@switch# set vlan rspan filter input example-filter
Related Topics
1616


Chapter 92: Configuring Port Mirroring
Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

To configure port mirroring using the J-Web interface:
1.
From the Configure menu, select Security > Port Mirroring.

The first part of the screen displays analyzer details such as the name, status,
analyzer port, ratio, and loss priority.
The second part of the screen lists ingress and egress ports of the selected
analyzer.
2.
Click one:
AddAdd an analyzer. Enter information as specified in Table 217 on page

1617.
EditModify details of the selected analyzer. Enter information as specified

DeleteDeletes the selected analyzer.
Enable/DisableEnable or disable the selected analyzer (toggle).
NOTE: In EX3200 switches and EX4200 switches only one analyzer can be enabled
at a time. In EX8200 switches, a maximum of 7 analyzers can be configured.
NOTE: When an analyzer is deleted or disabled, any filter association is removed.
Table 217: Port Mirroring Configuration Settings

Field
Function
Your Action
Analyzer
Name
Specifies the name of the analyzer.
Type a name for the analyzer.
Ratio
Specifies the ratio of packets to be mirrored. For example:
Enter a number from 0 through 2047.
Loss Priority
A ratio of 1 sends copies of all packets.
A ratio of 2047 sends copies of 1 out of every 2047

packets.
Specifies the loss priority of the mirrored packets.
Keep the default of low, unless the output is

to a VLAN.
By default, the switch applies a lower priority to mirrored

data than to regular port-to-port datamirrored traffic is
dropped in preference for regular traffic when capacity is
exceeded.
For port mirroring configurations with output to an analyzer
VLAN, set the loss priority to high.
1617
Table 217: Port Mirroring Configuration Settings (continued)

Field
Function
Your Action
Analyzer Port
Specifies a local interface or VLAN to which mirrored packets

are sent.
Click Select. In the Select Analyzer Port/VLAN

window, select either port or VLAN as the
Analyzer Type. Next, select the required port
or VLAN.
NOTE: A VLAN must have only one associated interface to

be specified as an analyzer interface.
Ingress
Specifies interfaces or VLANs for which entering traffic is

mirrored.
Click Add and select Port or VLAN. Next,

select the interfaces or VLANs.
Click Remove to delete an ingress interface
or VLAN.
Egress
Specifies interfaces for which traffic exiting the interfaces is

mirrored.
Click Add to add egress interfaces.

Click Remove to delete an egress interface.
Related Topics
1618


Chapter 93
Configuration Statements for Port

Mirroring

analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100]) ;
}
no-mac-learning;
}
}
group-name name {
1619
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
}
}
1620
Chapter 93: Configuration Statements for Port Mirroring
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Related Topics
on page 574
1621
analyzer
Syntax
Hierarchy Level
Release Information
Description
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}

Configure port mirroring. One analyzer (port mirroring configuration) can be
configured on an EX3200 or EX4200 switch and seven analyzers (port mirroring
configurations) can be configured on an EX8208 or EX8216 switch at a time. Other
analyzers can be present and disabled.
Default
Port mirroring is disabled and JUNOS Software creates no default analyzers.
Options
nameName that identifies the analyzer. The name can be up to 125 characters
long, must begin with a letter, and can include uppercase letters, lowercase
letters, numbers, dashes, and underscores. No other special characters are
allowed.
Related Topics
1622
analyzer



egress
Syntax
Hierarchy Level
Release Information
Description
egress {
}
[edit ethernet-switching-options analyzer name input]

Specify ports for which traffic exiting the interface is mirrored in an port mirroring
configuration.
The statement is explained separately.
Default
Related Topics
No default.
egress
1623
Syntax
1624
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
bpdu-block {
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100)
}
no-mac-learning;
}
}
group-name name {
}
}
timeout seconds;
}
allowed-mac {
mac-address-list;
}
no-allowed-mac-log;
vlan vlan-name;
mac mac-address;
}
}
dhcp-option82 {
circuit-id {
prefix hostname;
use-vlan-id;
}
remote-id {
use-string string;
}
vendor-id [string];
}
}
}
storm-control {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
no-world-readable>;
}
}
}
voip {
vlan vlan-name ;
network-control>;
}
}
}
Hierarchy Level
[edit]
1625
Release Information
Description

Series switches.
switches.
EX Series switches.

Related Topics
1626

on page 574
ingress
Syntax
Hierarchy Level
Release Information
Description
ingress {
}
[edit ethernet-switching-options analyzer name input]

Configure ports or VLANs for which the entering traffic is mirrored as part of an port
mirroring configuration.
Default
Related Topics
No default.


ingress
1627
input
Syntax
Hierarchy Level
Release Information
Description
input {
ingress {
}
egress {
}
}
[edit ethernet-switching-options analyzer name]

The definition of traffic to be mirrored in a port mirroring configurationcan be a
combination of traffic entering or exiting specific ports, and traffic entering a VLAN
in an EX3200 or EX4200 switch or exiting a VLAN in an EX8200 switch.
Default
Related Topics
1628
input
No default.


interface
Syntax
Hierarchy Level
Release Information
Description
Options

[edit ethernet-switching-options analyzer name input egress],
[edit ethernet-switching-options analyzer name input ingress],
[edit ethernet-switching-options analyzer name output]

Configure the interfaces for which traffic is mirrored.
allApply port mirroring to all interfaces on the switch. Mirroring a high volume of
traffic can be performance intensive for the switch. Therefore, you should
generally select specific input interfaces in preference to using the all keyword,
or use the all keyword in combination with setting a ratio for statistical sampling.
interface-nameApply port mirroring to the specified interface only.

Related Topics



interface
1629
loss-priority
Syntax
Hierarchy Level
Release Information
Description

Configure a loss priority for mirrored packets. By default, the switch applies a lower
priority to mirrored data than to regular port-to-port datamirrored traffic is dropped
in preference for regular traffic when capacity is exceeded. For port mirroring
configurations with output to an analyzer VLAN, set the loss priority to high.
Low
Options
priorityThe value for priority can be low or high.

Default: low
Related Topics
Default
1630
loss-priority
routingTo view this statement in the configuration.routing-controlTo add this

statement to the configuration.

output
Syntax
Hierarchy Level
Release Information
Description
output {
}

Configure the destination for mirrored traffic, either an interface on the switch, for
local monitoring, or a VLAN, for remote monitoring.
Default
Related Topics
No default.


output
1631
ratio
Syntax
Hierarchy Level
Release Information
Description
ratio number;

Configure port mirroring to copy a sampling of packets, by setting a ratio of 1:x, A
ratio of 1 mirrors all packets, and 2047 mirrors 1 out of every 2047 packets.
Default
Options
numberThe number of packets in the sample, out of which 1 packet is mirrored.

Default: 1

Related Topics

vlan
Syntax
Hierarchy Level
Release Information
Description
Options

[edit ethernet-switching-options analyzer name input ingress],
[edit ethernet-switching-options analyzer name output]

Configure mirrored traffic to be sent to a VLAN for remote monitoring.
vlan-idNumeric VLAN identifer.
vlan-nameName of the VLAN.

Related Topics
1632
ratio


Chapter 94
Operational Mode Commands for Port

Mirroring
1633
show analyzer
Syntax
Release Information
Description
Options
Output Fields
show analyzer analyzer-name

Display information about analyzers configured for port mirroring.
analyzer-name(Optional) Displays the status of a specific analyzer on the switch.
view
show analyzer on page 1634
Table 49 on page 322 lists the output fields for the command-name command. Output
Table 218: command-name Output Fields

Field Name
Field Description
Analyzer name
Displays the name of the analyzer.
Output interface
Specifies a local interface to which mirrored packets are sent. An analyzer can
have output to either an interface or a VLAN, not both.
Output VLAN
Specifies a VLAN to which mirrored packets are sent. An analyzer can have output
to either an interface or a VLAN, not both.
Mirror ratio
Displays the ratio of packets to be mirrored, between 1 and 2047 where 1 sends
copies of all packets and 2047 sends copies of 1 out of every 2047 packets.
Loss priority
Displays the loss priority of mirrored packets. By default, loss priority is set to
low, with mirrored traffic dropped in preference for regular traffic when capacity
is exceeded. For analyzers with output to a VLAN, set the loss priority to high.
Displays interfaces for which traffic exiting the interfaces is mirrored.
Displays interfaces for which traffic entering the interfaces is mirrored.
Ingress monitored VLANs
Displays VLANs for which traffic entering the VLAN is mirrored.
show analyzer
1634
show analyzer
user@host> show analyzer

Analyzer name
Output interface
Output VLAN
Mirror ratio
Loss priority
:
:
:
:
:
:
:
:
employee-monitor
ge-0/0/10.0
remote-analyzer
1
High
ge-0/0/3.0
ge-0/0/0.0
ge-0/0/1.0
Chapter 95
Understanding sFlow Technology


Series Switch
sFlow technology is a monitoring technology for high-speed switched or routed
networks. sFlow monitoring technology randomly samples network packets and
sends the samples to a monitoring station. You can configure sFlow technology on
a Juniper Networks EX Series Ethernet Switch to continuously monitor traffic at wire
speed on all interfaces simultaneously.
sFlow technology has the following two sampling mechanisms:
Packet-based sampling: Samples one packet out of a specified number of packets

from an interface enabled for sFlow technology.
Time-based sampling: Samples interface statistics at a specified interval from

an interface enabled for sFlow technology.
The sampling information is used to create a network traffic visibility picture. Juniper
Networks JUNOS Software fully supports the sFlow version 5 standard described at
sFlow.org (see www.sflow.org).
NOTE: sFlow technology on EX Series switches samples only raw packet headers. A
raw Ethernet packet is the complete Layer 2 network frame.
An sFlow monitoring system consists of an sFlow agent embedded in the switch and
a centralized collector. The sFlow agents two main activities are random sampling
and statistics gathering. It combines interface counters and flow samples and sends
them across the network to the sFlow collector.
EX Series switches adopt the distributed sFlow architecture. The sFlow agent has
two separate sampling entities that are associated with each packet forwarding
engine. These sampling entities are known as subagents. Each subagent has a unique
ID that is used by the collector to identify the data source. A subagent has its own
independent state and forwards its own sample messages to the sFlow agent. The
sFlow agent is responsible for packaging the samples into datagrams and sending
them to the sFlow collector. Since sampling is distributed across subagents, the
Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch
1635
protocol overheads associated with sFlow are significantly reduced at the collector.
If the mastership assignment changes in a Virtual Chassis setup, sFlow technology
continues to function.
NOTE: JUNOS Software on EX Series switches supports sFlow version 5.

The sFlow collector uses the sFlow agents IP address to determine the source of the
sFlow data. The IP address assigned to the agent is based on the following order of
priority of interfaces configured on the switch:
1. Loopback interface
2. Virtual Management Ethernet (VME) interface
3. Management Ethernet interface
4. Any other Layer 3 interface
If a particular interface has not been configured, the IP address of the next interface
in the priority list is used as the IP address for the agent. For example, if the loopback
interface has not been configured, then the IP address of the VME interface is assigned
as the agents IP address. Once an IP address is assigned to the agent and an interface
with a higher priority is configured, the agents IP address is not modified till the
sFlow service is restarted. At least one interface has to be configured for an IP address
to be assigned to the agent.
NOTE: If a loopback interface has the IP address 127.x.x.x, the agent is not assigned
the IP address of that interface. The next interface on the priority list is used as the
agents IP address.
sFlow data can be used to provide network traffic visibility information. Infrequent
sampling flows are not reported in the sFlow information, but over time the majority
of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured
and sent to the collector. This type of sampling does not provide a 100 percent
accurate result in the analysis, but it does provide a result with quantifiable accuracy.
A polling interval defines how often the sFlow data for a specific interface are sent
to the collector, but an sFlow agent is free to schedule polling.
Related Topics
1636

Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page

1643
Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch
Chapter 96
Example of sFlow Technology

Configuration

Example: Monitoring Network Traffic Using sFlow Technology on EX Series Switches

You can configure sFlow technology, designed for monitoring high-speed switched
or routed networks, to continuously monitor traffic at wire speed on all interfaces
simultaneously. sFlow data can be used to provide network traffic visibility
information.
This example describes how to configure and use sFlow monitoring. JUNOS Software
fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow:
A Method for Monitoring Traffic in Switched and Routed Networks (see RFC 3176).
Requirements
One EX3200 or EX4200 switch

sFlow technology is a statistical-samplingbased network monitoring technology for
high-speed switched or routed networks. sFlow technology samples network packets
and sends the samples to a monitoring station. The information gathered by the
sFlow technology is used to create a network traffic visibility picture.
An sFlow monitoring system consists of an sFlow agent embedded in the switch and
a centralized collector. The sFlow agent runs on the switch. It combines interface
Example: Monitoring Network Traffic Using sFlow Technology on EX Series Switches
1637
counters and flow samples and sends them across the network to the sFlow collector.
Figure 83 on page 1638 depicts the basic elements of the sFlow system.
Figure 83: sFlow Technology Monitoring System
Configuration
To configure sFlow technology, perform the following tasks:
To quickly configure sFlow technology, copy the following commands and paste
[edit protocols sflow]
set collector 10.204.32.46
set collector udp-port 5600
set interfaces ge-0/0/0.0
set polling-interval 20
set sample-rate 1000
1638
Configuration
Chapter 96: Example of sFlow Technology Configuration
To configure sFlow technology:

1.
Configure the IP address of the collector:

user@switch# set collector 10.204.32.46
NOTE: You can configure a maximum of 4 collectors.
2.
Configure the UDP port of the collector. The default UDP port assigned is 6343.
user@switch# set collector udp-port 5600
3.
Enable sFlow technology on a specific interface:

user@switch# set interfaces ge-0/0/0.0
NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

You cannot enable sFlow technology on a LAG interface. sFlow technology can be
enabled on the member interfaces of the LAG.
4.
Specify how often the sFlow agent polls the interface:

user@switch# set polling-interval 20
NOTE: The polling interval can be specified as a global parameter also. Specify 0 if
you do not want to poll the interface.
5.
Specify the rate at which packets must be sampled:

user@switch# set sample-rate 1000
Results

user@switch# show
sflow {
polling-interval 20;
Configuration
1639
sample-rate 1000;
collector 10.204.32.46;
interfaces ge-0/0/0.0;
}
Verification
Verifying That sFlow Technology Has Been Configured Properly on page 1640
Verifying That sFlow Technology Is Enabled on the Intended Interface on page 1640
Verifying the sFlow Collector Configuration on page 1641
Verifying That sFlow Technology Has Been Configured Properly

Purpose
Action
Verify that sFlow technology has been configured properly.

Use the show sflow command:
user@switch> show sflow
sFlow
: Enabled
Sample rate
: 1:1000
Sample limit
: 300 packets/second
Polling interval : 20 seconds
NOTE: The sample limit cannot be configured and is set to 300 packets/second.
Meaning
The output shows that sFlow technology is enabled and specifies the values for the
sampling rate, sampling limit, and polling interval.
Verifying That sFlow Technology Is Enabled on the Intended Interface

Purpose
Action
Verify that sFlow technology is enabled on interfaces and display the sampling
parameters.
Use the show sflow interface command:
user@switch> show sflow interface
Interface Status
Sample rate
ge-0/0/0.0 Enabled
1000
Sample limit Polling-interval

300
20
NOTE: The sample limit cannot be configured and is set to 300 packets/second.
1640
Verification
Chapter 96: Example of sFlow Technology Configuration
Meaning
The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface
with a sampling rate of 1000, sampling limit of 300 packets per second and a polling
interval of 20 seconds.
Verifying the sFlow Collector Configuration

Purpose
Action
Verify the sFlow collector's configuration.

Use the show sflow collector command:
user@switch> show sflow collector
Collector address
UDP-port No of samples
10.204.32.46
5600
1000
100.204.32.76
3400
1000
Meaning
Related Topics
The output displays the IP address of the collector and the UDP port. It also displays
the packet sampling rate.

1643

1641
1642
Chapter 97
Configuring sFlow Technology
Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1643
Configuring sFlow Technology for Network Monitoring (CLI Procedure)

You can configure sFlow technology, designed for monitoring high-speed switched
or routed networks, to continuously monitor traffic at wire speed on all interfaces
simultaneously. JUNOS Software fully supports the sFlow standard described in RFC
3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and
Routed Networks (see RFC 3176).
To configure sFlow features using the CLI:
1.
Configure the IP address of the collector.

user@switch# set collector <ip-address>
2.
Configure the UDP port of the collector. The default UDP port assigned is 6343.
user@switch# set collector udp-port <port-number>
3.
Enable sFlow technology on a specific interface:

user@switch# set interfaces interface-name
NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

You cannot enable sFlow technology on a LAG interface. sFlow technology can be
enabled on the member interfaces of the LAG.
4.
Specify how often the sFlow agent polls the interface:

user@switch# set polling-interval seconds
1643
NOTE: Specify 0 if you do not want to poll the interface.
5.
Specify the rate at which packets must be sampled:

user@switch# set sample-rate number
6.
You can also configure the polling interval and sample rate at the interface level.
[edit protocols sflow interfaces]
user@switch# set polling-interval seconds
[edit protocols sflow interfaces]

user@switch# set sample-rate number
NOTE: The interface-level configuration overrides the global configuration.
Related Topics
1644


Chapter 98
Configuration Statements for sFlow

Technology

protocols {
connections {
}
}
dot1x {
authenticator {
disable;
reauthentication {
interval seconds;
}
retries number;
}
}
}
gvrp {
<enable | disable>;
1645

disable;
}
}
igmp-snooping {
traceoptions {
<match regex>;
}
data-forwarding {
source {
}
receiver {
install ;
}
}
disable {
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy ;
}
}
lldp {
disable;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
1646
Chapter 98: Configuration Statements for sFlow Technology
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mpls {
path destination {
}
mstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
traceoptions {
1647

no-world-readable>;
flag flag;
}
}
oam {
ethernet{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-errorcount;
frame-period count;
}
}
}
}
}
rstp {
disable;
bpdu-block-on-edge;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
1648
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
}
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
sample-rate number;
}
stp {
disable;
hello-time seconds;
disable;
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
no-world-readable>;
flag flag;
}
vstp {
bpdu-block-on-edge;
disable;
force-version stp;
vlan vlan-id {
hello-time seconds;
1649
block;
alarm;
}
cost cost;
disable;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
no-world-readable>;
flag flag;
}
}
}
}
Related Topics
1650


877


on page 1661
collector
Syntax
Hierarchy Level
Release Information
Description
collector {
ip-address;
}

Configure a remote collector for sFlow network traffic monitoring. The switch sends
sFlow UDP datagrams to this collector for analysis. You can configure up to four
collectors on the switch. You configure a collector by specifying its IP address and a
UDP port.

Related Topics



1643
disable
Syntax
Hierarchy Level
Release Information
Description

Related Topics
disable;
[edit protocols sflow],
[edit protocols sflow interfaces interface-name]

Disable the sFlow monitoring protocol on all interfaces on the switch or on the


1643
collector
1651
interfaces
Syntax
Hierarchy Level
Release Information
Description
disable;
sample-rate number;
}

Configure sFlow network traffic monitoring on the specified interface on the switch.
You can configure sFlow parameters such as polling interval and sample rate with
different values on different interfaces, and you can also disable sFlow monitoring
on individual interfaces.
Options
Related Topics
1652
interfaces
interface-nameName of the interface on which to configure sFlow parameters.



1643
polling-interval
Syntax
Hierarchy Level
Release Information
Description
Configure the interval (in seconds) that the switch waits between port statistics update
messages. Polling refers to the switchs gathering various statistics for the network
interfaces configured for sFlow monitoring and exporting the statistics to the
configured sFlow collector.
Default
If no polling interval is configured for a particular interface, the switch waits the
number of seconds that is configured for the global sFlow configuration. If no global
interval is configured, the switch waits 20 seconds between messages.
Options
secondsNumber of seconds between port statistics update messages. A 0 (zero)
value specifies that polling is disabled.

Range: 03600 seconds
Default: 20 seconds
Related Topics


1643

polling-interval
1653
sample-rate
Syntax
Hierarchy Level
Release Information
sample-rate number;
Description
Set the ratio of the number of packets to be sampled in sFlow network traffic
monitoring. For example, if you specify a rate of 1000, every thousandth packet (1
packet out of 1000) is sampled.
Default
If no sample rate is configured for a particular interface, the switch samples at the
rate configured for the global sFlow configuration. If no global rate is configured, the
switch samples 1 in 2000 packets.
Options
numberDenominator of the ratio that composes the sample rate.
Range: 1001,048,576
Default: 2000
Related Topics
1654
sample-rate


1643

sflow
Syntax
Hierarchy Level
Release Information
Description
sflow {
collector {
ip-address;
}
disable;
disable;
sample-rate number;
}
sample-rate number;
}
[edit protocols]

Configure sFlow technology, designed for monitoring high-speed switched or routed
networks, to continuously monitor traffic at wire speed on specified interfaces
simultaneously. sFlow data can be used to provide network traffic visibility
information.
Default
Related Topics
The sFlow protocol is disabled by default.



1643
sflow
1655
udp-port
Syntax
Hierarchy Level
Release Information
Description
Options
[edit protocols sflow collector]

Configure the UDP port for a remote collector for sFlow network traffic monitoring.
The switch sends sFlow UDP datagrams to the collector for analysis.
port-numberUDP port number for this collector.
Default: 6343
Related Topics
1656
udp-port



1643
Chapter 99
Operational Mode Commands for sFlow

Technology
1657
show sflow
Syntax
Release Information
Description
Options
show sflow
<collector>
<interface>

Displays default sflow configuration information.
collector(Optional) Display standard status information about the specified sflow
collector.
interface(Optional) Display standard status information about the specified sflow
interface.
Related Topics
Output Fields
view
show sflow interface
show sflow collector


1643
Table 219 on page 1658 lists the output fields for the show sflow command. Output
Table 219: show sflow Output Fields

Field Name
Field Description
Level of Output
sFlow
Status of the feature: enabled or disabled.
All levels
Sample rate
Rate at which packets are sampled.
All levels
Sample limit
Number of packets sampled per second. The sample limit cannot

be configured and is set to 300 packets/second.
All levels
Polling interval
Interval at which the sFlow agent polls the interface.
All levels
show sflow
1658
show sflow
sFlow
: Enabled
Sample rate
: 1:1000
Sample limit
: 300 packets/second
Polling interval : 20 seconds
Chapter 99: Operational Mode Commands for sFlow Technology

Syntax
Release Information
Description
Related Topics
Output Fields

Displays a list of configured sFlow collectors and their properties.
view
show sflow


1643
Table 220 on page 1659 lists the output fields for the show sflow collector command.
Table 220: show sflow collector Output Fields

Field Name
Field Description
Level of Output
IP address
IP address of the collector.
All levels
UDP port
UDP port number.
All levels
No of samples
Packet sampling rate.
All levels
IP-address
10.204.32.46
100.204.32.76
UDP-Port No of samples
5600
1000
3400
1000
1659

Syntax
Release Information
Description

Related Topics
Output Fields

Displays the interfaces on which sFlow technology is enabled and the sampling
parameters.
view
show sflow


1643
Table 221 on page 1660 lists the output fields for the show sflow interface command.
Table 221: show sflow interface Output Fields

Field Name
Field Description
Level of Output
Interfaces
Interface on which sFlow technology is enabled.
All levels
Sample-rate
Rate at which packets are sampled.
All levels
Sample-limit
Number of packets sampled per second.
All levels
Sample limit cannot be configured and is set to 300 packets/second.

Polling-interval
1660
The interval at which the sFlow agent polls the interface.
Interfaces
ge-0/0/0.0
All levels
Sample-rate
Sample-limit
Polling-interval
1:1000
300 pkt/sec
20 sec
Chapter 100
Understanding Ethernet OAM Link Fault

Management
Understanding Ethernet OAM Link Fault Management for an EX Series

Switch on page 1661

Juniper Networks JUNOS Software for Juniper Networks EX Series Ethernet Switches
allows the Ethernet interfaces on these switches to support the IEEE 802.3ah standard
for the Operation, Administration, and Maintenance (OAM) of Ethernet in access
networks. The standard defines OAM link fault management (LFM). You can configure
IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either
directly or through Ethernet repeaters. The IEEE 802.3ah standard meets the
requirement for OAM capabilities even as Ethernet moves from being solely an
enterprise technology to a WAN and access technology, and the standard remains
backward-compatible with existing Ethernet technology.
Ethernet OAM provides the tools that network management software and network
managers can use to determine how a network of Ethernet links is functioning.
Ethernet OAM should:
Rely only on the media access control (MAC) address or virtual LAN identifier
for troubleshooting.
Work independently of the actual Ethernet transport and function over physical
Ethernet ports or a virtual service such as pseudowire.
Isolate faults over a flat (or single operator) network architecture or nested or
hierarchical (or multiprovider) networks.
The following OAM LFM features are supported on EX Series switches:
Discovery and Link Monitoring

The discovery process is triggered automatically when OAM is enabled on the
interface. The discovery process permits Ethernet interfaces to discover and
monitor the peer on the link if it also supports the IEEE 802.3ah standard. You
can specify the discovery mode used for IEEE 802.3ah OAM support. In active
mode, the interface discovers and monitors the peer on the link if the peer also
supports IEEE 802.3ah OAM functionality. In passive mode, the peer initiates
the discovery process. After the discovery process has been initiated, both sides
participate in discovery. The switch performs link monitoring by sending periodic
1661
OAM protocol data units (PDUs) to advertise OAM mode, configuration, and
capabilities.
You can specify the number of OAM PDUs that an interface can miss before the
link between peers is considered down.
Remote Fault Detection

Remote fault detection uses flags and events. Flags are used to convey the
following: Link Fault means a loss of signal, Dying Gasp means an unrecoverable
condition such as a power failure, and Critical Event means an unspecified
vendor-specific critical event. You can specify the periodic OAM PDU sending
interval for fault detection.The EX Series switch uses the Event Notification OAM
PDU to notify the remote OAM device when a problem is detected. You can
specify the action to be taken by the system when the configured link-fault event
occurs.
Remote Loopback Mode

Remote loopback mode ensures link quality between the switch and a remote
peer during installation or troubleshooting. In this mode, when the interface
receives a frame that is not an OAM PDU or a pause frame, it sends it back on
the same interface on which it was received. The link appears to be in the active
state. You can use the returned loopback acknowledgement to test delay, jitter,
and throughput.
JUNOS Software can place a remote DTE into loopback mode (if remote loopback
mode is supported by the remote DTE). When you place a remote DTE into
loopback mode, the interface receives the remote loopback request and puts the
interface into remote loopback mode. When the interface is in remote loopback
mode, all frames except OAM PDUs are looped back without any changes made
to the frames. OAM PDUs continue to be sent and processed.
Related Topics
1662
Configuring Ethernet OAM Link Fault Management (CLI Procedure) on page 1667

Chapter 101
Example of Ethernet OAM Link Fault

Management Configuration

Example: Configuring Ethernet OAM Link Fault Management on EX Series Switches

JUNOS Software for EX Series switches allows the Ethernet interfaces on these
switches to support the IEEE 802.3ah standard for the Operation, Administration,
and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM
link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on
point-to-point Ethernet links that are connected either directly or through Ethernet
repeaters.
This example describes how to enable and configure OAM LFM on a Gigabit Ethernet
interface:
Configuring Ethernet OAM Link Fault Management on Switch 1 on page 1664
Configuring Ethernet OAM Link Fault Management on Switch 2 on page 1665
Requirements
Two EX3200 or EX4200 switches connected directly

JUNOS Software for EX Series switches allows the Ethernet interfaces on these
switches to support the IEEE 802.3ah standard for the Operation, Administration,
and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM
link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on
Example: Configuring Ethernet OAM Link Fault Management on EX Series Switches
1663
point-to-point Ethernet links that are connected either directly or through Ethernet
repeaters.
This example uses two EX4200 switches connected directly. Before you begin
configuring Ethernet OAM LFM on two switches, connect the two switches directly
through a trunk interface.
Configuring Ethernet OAM Link Fault Management on Switch 1

To quickly configure Ethernet OAM LFM, copy the following commands and paste
[edit protocols oam ethernet link-fault-management]
set interface ge-0/0/0
set interface ge-0/0/0 link-discovery active
set interface ge-0/0/0 pdu-interval 800
set interface ge-0/0/0 remote-loopback
To configure Ethernet OAM LFM on switch 1:

1.
Enable IEEE 802.3ah OAM support on an interface:

user@switch1# set interface ge-0/0/0
2.
Specify that the interface initiates the discovery process by configuring the link
discovery mode to active:
user@switch1# set interface ge-0/0/0 link-discovery active
3.
Set the periodic OAM PDU-sending interval (in milliseconds) to 800 on switch
1:
user@switch1# set interface pdu-interval 800
4.
Set a remote interface into loopback mode so that all frames except OAM PDUs
are looped back without any changes made to the frames. Ensure that the
remote DTE supports remote loopback mode. To set the remote DTE in loopback
mode
user@switch1# set interface ge-0/0/0.0 remote-loopback
Results

[edit]
user@switch1# show
protocols {
oam {
1664
Chapter 101: Example of Ethernet OAM Link Fault Management Configuration
ethernet {
pdu-interval 800;
link-discovery active;
remote-loopback;
}
}
}
}

To quickly configure Ethernet OAM LFM on switch 2, copy the following commands
[edit protocols oam ethernet link-fault-management ]
set interface ge-0/0/1
set interface ge-0/0/1 negotiation-options allow-remote-loopback
To configure Ethernet OAM LFM on switch 2:

1.
Enable OAM on the peer interface on switch 2:

user@switch2# set interface ge-0/0/1
2.
Enable remote loopback support for the local interface:

user@switch2# set interface ge-0/0/1 negotiation-options allow-remote-loopback
Results

[edit]
user@switch2# show
protocols {
oam {
ethernet {
}
}
}
}
}
1665
Verification
Verifying That OAM LFM Has Been Configured Properly
Purpose
Action
Verify that OAM LFM has been configured properly.

Use the show oam ethernet link-fault-management command:
user@switch1#show oam ethernet link-fault-management
Sample Output
Meaning
Related Topics
1666
Verification
Status: Running, Discovery state: Send Any
Peer address: 00:19:e2:50:3b:e1
Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50
Remote entity information:
Remote MUX action: forwarding, Remote parser action: forwarding
Discovery mode: active, Unidirectional mode: unsupported
Remote loopback mode: supported, Link events: supported
Variable requests: unsupported
When the output displays the MAC address and the discover state is Send Any, it
means that OAM LFM has been configured properly.

on page 1661
Chapter 102
Configuring Ethernet OAM Link Fault

Management
Configuring Ethernet OAM Link Fault Management (CLI Procedure)

Ethernet OAM link fault management (LFM) can be used for physical link-level fault
detection and management. The IEEE 802.3ah LFM works across point-to-point
Ethernet links either directly or through repeaters.
To configure Ethernet OAM LFM using the CLI:
1.
Enable IEEE 802.3ah OAM support on an interface:

user@switch# set interface interface-name
NOTE: The remaining steps are optional. You can choose which of these features to
configure for Ethernet OAM LFM on your switch.
2.
Specify whether the interface or the peer initiates the discovery process by
configuring the link discovery mode to active or passive (active = interface
initiates; passive = peer initiates):
user@switch# set interface interface-name link-discovery active
3.
Configure a periodic OAM PDU-sending interval (in milliseconds) for fault

detection:
user@switch# set interface pdu-interval interval
4.
Specify the number of OAM PDUs that an interface can miss before the link
between peers is considered down:
1667
user@switch# set interface interface-name pdu-threshold threshold-value
5.
Configure event threshold values on an interface for the local errors that trigger
the sending of link event TLVs:
Set the threshold value (in seconds) for sending frame-error events or taking
the action specified in the action profile:
user@switch# set interface interface-name event-thresholds frame-error count
Set the threshold value (in seconds) for sending frame-period events or taking
the action specified in the action profile:
user@switch# set interface interface-name event-thresholds frame-period count
Set the threshold value (in seconds) for sending frame-period-summary

events or taking the action specified in the action profile:
user@switch# set interface interface-name event-thresholds frame-period-summary
count
Set the threshold value (in seconds) for sending symbol-period events or
taking the action specified in the action profile:
user@switch# set interface interface-name event-thresholds symbol-period
count
NOTE: You can disable the sending of link event TLVs.

To disable the sending of link event TLVs:
user@switch# set interface interface-name negotiation-options no-allow-link-events
6.
Create an action profile to define event fault flags and thresholds to be taken
when the link fault event occurs. Then apply the action profile to one or more
interfaces. (You can also apply multiple action profiles to a single interface.)
a.
Name the action profile:

user@switch# set action-profile profile-name
b.
1668
Specify actions to be taken by the system when the link fault event occurs:
Chapter 102: Configuring Ethernet OAM Link Fault Management

user@switch# set action-profile profile-name action syslog
user@switch# set action-profile profile-name action link-down
c.
Specify events for the action profile:

user@switch# set action-profile profile-name event link-adjacency-loss
NOTE: For each action profile, you must specify at least one link event and one
action. The actions are taken only when all of the events in the action profile are
true. If more than one action is specified, all actions are executed. You can set a low
threshold for a specific action such as logging the error and set a high threshold for
another action such as system logging.
7.
Set a remote interface into loopback mode so that all frames except OAM PDUs
are looped back without any changes made to the frames. Set the remote DTE
in loopback mode (the remote DTE must support remote-loopback mode) and
then enable remote loopback support for the local interface.
user@switch# set interface interface-name remote-loopback
user@switch# set interface interface-name negotiation-options

allow-remote-loopback
Related Topics


on page 1661
1669
1670
Chapter 103
Configuration Statements for Ethernet

OAM Link Fault Management
action
Syntax
Hierarchy Level
Release Information
Description
action {
syslog;
link-down;
}

Define the action or actions to be taken when the OAM link fault management (LFM)
fault event occurs.

Related Topics

action
1671
action-profile
Syntax
Hierarchy Level
Release Information
Description
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
}

Configure an Ethernet OAM link fault management (LFM) action profile by specifying
a profile name.
Options
Related Topics
1672
action-profile
profile-nameName of the action profile.

Chapter 103: Configuration Statements for Ethernet OAM Link Fault Management
Syntax
Hierarchy Level
Release Information
Description

Related Topics
[edit protocols oam ethernet link-fault-management interface interface-name]

Advertise that the interface is capable of getting into loopback mode. Enable remote
loopback in Ethernet OAM link fault management (LFM) on all Ethernet interfaces
or the specified interface on the EX Series switch.

1673
ethernet
Syntax
Hierarchy Level
Release Information
Description
ethernet {
link-fault-management{
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-error count;
frame-period count;
}
}
}
}
}
[edit protocols oam]

Provide IEEE 802.3ah Operation, Administration, and Maintenance (OAM) support
for Ethernet interfaces on EX Series switches.

Related Topics
1674
ethernet


event
Syntax
Hierarchy Level
Release Information
Description
event {
link-event-rate {
frame-error count;
frame-period count;
}
}
[edit protocols oam ethernet link-fault-management action-profile profile-name]

Configure link events in an action profile for Ethernet OAM link fault management
(LFM).

Related Topics

event-thresholds
Syntax
Hierarchy Level
Release Information
Description
event-thresholds {
frame-error count;
frame-period count;
}

Configure threshold limit values for link events in periodic OAM PDUs.

Related Topics

event
1675
frame-error
Syntax
Hierarchy Level
Release Information
Description
frame-error count;
[edit protocols oam ethernet link-fault-management event link-event-rate],
[edit protocols oam ethernet link-fault-management interface interface-name
event-thresholds]

Configure the threshold value for sending frame error events or taking the action
specified in the action profile.
Frame errors occur on the underlying physical layer. The threshold is reached when
the number of frame errors reaches the configured value.
Options

Related Topics
countThreshold count in seconds for frame error events.

Default: 1 second
frame-period
Syntax
Hierarchy Level
Release Information
Description
frame-period count;
event-thresholds]

Configure the number of frame errors within the last N frames that has exceeded a
threshold.
Frame errors occur on the underlying physical layer. The threshold is reached when
the number of frame errors reaches the configured value.
Options
Related Topics
1676
frame-error
countThreshold count in seconds for frame error events.

frame-period-summary
Syntax
Hierarchy Level
Release Information
Description
event-thresholds]

Configure the threshold value for sending frame period summary error events or
taking the action specified in the action profile.
An errored frame second is any 1-second period that has at least one errored frame.
This event is generated if the number of errored frame seconds is equal to or greater
than the specified threshold for that period.
Options
Related Topics
countThreshold count in seconds for frame period summary error events.

frame-period-summary
1677
interface
Syntax
Hierarchy Level
Release Information
Description
remote-loopback;
event-thresholds {
frame-error count;
frame-period count;
}
}
}

Configure Ethernet OAM link fault management (LFM) for all interfaces or for specific
interfaces.
Options

Related Topics
1678
interface
interface-nameName of the interface to be enabled for IEEE 802.3ah OAM link fault
management (LFM) support.

link-adjacency-loss
Syntax
Hierarchy Level
Release Information
Description

Related Topics
[edit protocols oam ethernet link-fault-management action-profile event]

Configure loss of adjacency event with the IEEE 802.3ah link fault management (LFM)
peer. When included, the loss of adjacency event triggers the action specified under
the action statement.

link-adjacency-loss
1679
link-discovery
Syntax
Hierarchy Level
Release Information

Description
Specify the discovery mode used for IEEE 802.3ah Operation, Administration, and
Maintenance (OAM) link fault management (LFM) support. The discovery process is
triggered automatically when OAM 802.3ah functionality is enabled on an interface.
Link monitoring is done when the interface sends periodic OAM PDUs.
Options
activeIn active mode, the interface discovers and monitors the peer on the link if
the peer also supports IEEE 802.3ah OAM functionality.
passiveIn passive mode, the peer initiates the discovery process.
Once the discovery process is initiated, both sides participate in discovery.

Related Topics

link-down
Syntax
Hierarchy Level
Release Information
Description
Related Topics
1680
link-discovery
link-down;
[edit protocols oam ethernet link-fault-management action-profile action]

Mark the interface as down for transit traffic.
link-event-rate
Syntax
Hierarchy Level
Release Information
Description
link-event-rate {
frame-error count;
frame-period count;
}
[edit protocols oam ethernet link-fault-management action-profile event]

Configure the number of link fault management (LFM) events per second.

Related Topics

link-event-rate
1681
link-fault-management
Syntax
Hierarchy Level
Release Information
Description
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-error count;
frame-period count;
}
}
}
}
[edit protocols oam ethernet]

Configure Ethernet OAM link fault management (LFM) for all interfaces or for specific
interfaces.

Related Topics
1682


negotiation-options
Syntax
Hierarchy Level
Release Information
Description
}

Enable and disable IEEE 802.3ah Operation, Administration, and Maintenance (OAM)
link fault management (LFM) features for Ethernet interfaces.

Related Topics

no-allow-link-events
Syntax
Hierarchy Level
Release Information
Description
Related Topics
negotiation-options]

Disable the sending of link event TLVs.
negotiation-options
1683
oam
Syntax
Hierarchy Level
Release Information
Description
oam {
ethernet {
action {
syslog;
link-down;
}
event {
link-event-rate;
frame-error count;
frame-period count;
}
remote-loopback;
event-thresholds {
frame-error count;
frame-period count;
}
}
}
}
}
[edit protocols]

Provide IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault
management (LFM) support for Ethernet interfaces on EX Series switches.

Related Topics
1684
oam


pdu-interval
Syntax
Hierarchy Level
Release Information
Description
Options

Related Topics

Specify the periodic OAM PDU sending interval for fault detection. It is used for IEEE
802.3ah Operation, Administration, and Maintenance (OAM) link fault management
(LFM) support.
intervalPeriodic OAM PDU sending interval.
Range: 400 through 1000 milliseconds
Default: 1000 milliseconds

pdu-interval
1685
pdu-threshold
Syntax
Hierarchy Level
Release Information
Description
Options
pdu-threshold threshold-value;

Configure how many protocol data units (PDUs) are missed before declaring the peer
lost in Ethernet OAM link fault management (LFM) for all interfaces or for specific
interfaces.
threshold-value Number of PDUs missed before declaring the peer lost.
Range: 3 through 10 PDUs

Default: 3 PDUs
Related Topics

remote-loopback
Syntax
Hierarchy Level
Release Information
Description

Related Topics
1686
pdu-threshold
remote-loopback;

Set the data terminal equipment (DTE) in loopback mode. Remove the statement
from the configuration to take the DTE out of loopback mode. It is used for IEEE
802.3ah Operation, Administration, and Maintenance (OAM) link fault management
(LFM) support.

symbol-period
Syntax
Hierarchy Level
Release Information
Description
[edit protocols oam ethernet link-fault-management action-profile profile-name; event
link-event-rate] ,
event-thresholds]

Configure the threshold for sending symbol period events or taking the action specified
in the action profile.
Symbol code errors occur on the underlying physical layer. The symbol period
threshold is reached when the number of symbol errors reaches the configured value
within the period. You cannot configure the default value to a different value.
Options
countThreshold count in seconds for symbol period events.


Related Topics
syslog
Syntax
Hierarchy Level
Release Information
Description

Related Topics
syslog;
[edit protocols oam ethernet link-fault-management action-profile profile-name; action]

Generate a system log message for the Ethernet Operation, Administration, and
Maintenance (OAM) link fault management (LFM) event.
symbol-period
1687
1688
syslog
Chapter 104
Operational Mode Commands for Ethernet

OAM Link Fault Management
1689
show oam ethernet link-fault-management

Syntax
Release Information
Description
Options

<brief | detail>
<interface-name>

Displays Operation, Administration, and Maintenance (OAM) link fault management
(LFM) information for Ethernet interfaces.
interface-name (Optional) Display link fault management information for the
specified Ethernet interface only.

Related Topics

Output Fields
view

show oam ethernet link-fault-management brief on page 1693

show oam ethernet link-fault-management detail on page 1694
Table 222 on page 1690 lists the output fields for the show oam ethernet
link-fault-management command. Output fields are listed in the approximate order
in which they appear.
Table 222: show oam ethernet link-fault-management Output Fields

Field Name
Field Description
Level of Output
Status
Indicates the status of the established link.
All levels
Discovery state
Peer address
1690
FailA link fault condition exists.
RunningA link fault condition does not exist.
State of the discovery mechanism:
Passive Wait
Send Any
Send Local Remote
Send Local Remote Ok
Address of the OAM peer.
All levels
All levels
Chapter 104: Operational Mode Commands for Ethernet OAM Link Fault Management
Table 222: show oam ethernet link-fault-management Output Fields (continued)

Field Name
Field Description
Level of Output
Flags
All levels
Remote-StableIndicates remote OAM client acknowledgment of, and

satisfaction with local OAM state information. False indicates that remote
DTE has either not seen or is unsatisfied with local state information. True
indicates that remote DTE has seen and is satisfied with local state
information.
Local-StableIndicates local OAM client acknowledgment of, and

satisfaction with remote OAM state information. False indicates that local
DTE either has not seen or is unsatisfied with remote state information.
True indicates that local DTE has seen and is satisfied with remote state
information.
Remote-State-ValidIndicates the OAM client has received remote state
information found within Local Information TLVs of received Information

OAM PDUs. False indicates that OAM client has not seen remote state
information. True indicates that the OAM client has seen remote state
information.
Remote loopback
status
Indicates the remote loopback status. An OAM entity can put its remote peer
into loopback mode using the Loopback control OAM PDU. In loopback mode,
every frame received is transmitted back on the same port (except for OAM
PDUs, which are needed to maintain the OAM session).
All levels
Remote entity
information
Remote entity information.
All levels
Remote MUX actionIndicates the state of the multiplexer functions of
the OAM sublayer. Device is forwarding non-OAM PDUs to the lower

sublayer or discarding non-OAM PDUs.
Remote parser actionIndicates the state of the parser function of the
OAM sublayer. Device is forwarding non-OAM PDUs to higher sublayer,

looping back non-OAM PDUs to the lower sublayer, or discarding non-OAM
PDUs.
Discovery modeIndicates whether discovery mode is active or inactive.
Unidirectional modeIndicates the ability to operate a link in a
unidirectional mode for diagnostic purposes.
Remote loopback modeIndicates whether remote loopback is supported
or not supported.
Link eventsIndicates whether interpreting link events is supported or
not supported on the remote peer.
Variable requestsIndicates whether variable requests are supported or
not supported. The Variable Request OAM PDU, is used to request one or
more MIB variables from the remote peer.
OAM Receive Statistics
Information
The number of information PDUs received.
detail
Event
The number of loopback control PDUs received.
detail
Variable request
The number of variable request PDUs received.
detail
Variable response
The number of variable response PDUs received.
detail
Loopback control
The number of loopback control PDUs received.
detail
1691

Field Name
Field Description
Level of Output
Organization
specific
The number of vendor organization specific PDUs received.
detail
OAM Transmit Statistics

Information
The number of information PDUs transmitted.
detail
Event
The number of event notification PDUs transmitted.
detail
Variable request
The number of variable request PDUs transmitted.
detail
Variable response
The number of variable response PDUs transmitted.
detail
Loopback control
The number of loopback control PDUs transmitted.
detail
Organization
specific
The number of vendor organization specific PDUs transmitted.
detail
OAM Received Symbol Error Event information

Events
The number of symbol error event TLVs that have been received after the OAM
sublayer was reset.
detail
Window
The symbol error event window in the received PDU.
detail
The protocol default value is the number of symbols that can be received in
one second on the underlying physical layer.
Threshold
The number of errored symbols in the period required for the event to be
generated.
detail
Errors in period
The number of symbol errors in the period reported in the received event PDU.
detail
Total errors
The number of errored symbols that have been reported in received event
TLVs after the OAM sublayer was reset.
detail
Symbol errors are coding symbol errors.

OAM Received Frame Error Event Information
Events
The number of errored frame event TLVs that have been received after the
OAM sublayer was reset.
detail
Window
The duration of the window in terms of the number of 100 ms period intervals.
detail
Threshold
The number of detected errored frames required for the event to be generated.
detail
Errors in period
The number of detected errored frames in the period.
detail
Total errors
The number of errored frames that have been reported in received event TLVs
after the OAM sublayer was reset.
detail
A frame error is any frame error on the underlying physical layer.

OAM Received Frame Period Error Event Information
1692
Chapter 104: Operational Mode Commands for Ethernet OAM Link Fault Management

Field Name
Field Description
Level of Output
Events
The number of frame seconds errors event TLVs that have been received after
the OAM sublayer was reset.
detail
Window
The duration of the frame seconds window.
detail
Threshold
The number of frame seconds errors in the period.
detail
Errors in period
The number of frame seconds errors in the period.
detail
Total errors
The number of frame seconds errors that have been reported in received event
TLVs after the OAM sublayer was reset.
detail
OAM Transmitted Symbol Error Event Information

Events
The number of symbol error event TLVs that have been transmitted after the
detail
Window
The symbol error event window in the transmitted PDU.
detail
Threshold
The number of errored symbols in the period required for the event to be
generated.
detail
Errors in period
The number of symbol errors in the period reported in the transmitted event
PDU.
detail
Total errors
The number of errored symbols reported in event TLVs that have been
transmitted after the OAM sublayer was reset.
detail
OAM Transmitted Frame Error Event Information

Events
The number of errored frame event TLVs that have been transmitted after the
detail
Window
The duration of the window in terms of the number of 100 ms period intervals.
detail
Threshold
The number of detected errored frames required for the event to be generated.
detail
Errors in period
The number of detected errored frames in the period.
detail
Total errors
The number of errored frames that have been detected after the OAM sublayer
was reset.
detail
show oam ethernet

brief
user@host> show oam ethernet link-fault-management brief

Interface: ge-0/0/1
Peer address: 00:90:69:72:2c:83
Remote loopback status: Disabled on local port, Enabled on peer port
Remote MUX action: discarding, Remote parser action: loopback
1693
show oam ethernet

detail
1694
user@host> show oam ethernet link-fault-management detail

Interface: ge-0/0/1
Peer address: 00:90:69:0a:07:14
OAM receive statistics:
Information: 186365, Event: 0, Variable request: 0, Variable response: 0
Loopback control: 0, Organization specific: 0
OAM transmit statistics:
Information: 186347, Event: 0, Variable request: 0, Variable response: 0
Loopback control: 0, Organization specific: 0
OAM received symbol error event information:
Events: 0, Window: 0, Threshold: 0
Errors in period: 0, Total errors: 0
OAM received frame error event information:
OAM received frame period error event information:
OAM transmitted symbol error event information:
OAM transmitted frame error event information:
Remote MUX action: forwarding, Remote parser action: forwarding
Chapter 105
Configuration Statements for Network

Management
[edit snmp] Configuration Statement Hierarchy on page 1695

snmp {
rmon {
history index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
}
Related Topics

1695
bucket-size
Syntax
Hierarchy Level
Release Information
Description
bucket-size number;
[edit snmp rmon history]

Configure the sampling of Ethernet statistics for network fault diagnosis, planning,
and performance tuning.
Default
50
Options
numberNumber of discrete samples of Ethernet statistics requested.

Related Topics
snmpTo view this statement in the configuration.

snmpcontrolTo add this statement to the configuration.

1696
bucket-size
Chapter 105: Configuration Statements for Network Management
history
Syntax
Hierarchy Level
Release Information
Description
history history-index {
bucket-size number;
interval seconds;
owner owner-name;
}
[edit snmp rmon]

Configure RMON history group entries. This RMON feature can be used with the
Simple Network Management Protocol (SNMP) agent in the switch to monitor all the
traffic flowing among switches on all connected LAN segments. It collects statistics
in accordance with user-configurable parameters.
The history group controls the periodic statistical sampling of data from various types
of networks. This group contains configuration entries that specify an interface,
polling period, and other parameters. The interface interface-name statement is
mandatory. Other statements in the history group are optional.
Default
Not configured.
Options
history-indexIdentifies this history entry as an integer.

Related Topics


history
1697
interface
Syntax
Hierarchy Level
Release Information
Description
[edit snmp rmon history history-index]

Specify the interface to be monitored in the specified RMON history entry.
Only one interface can be specified for a particular RMON history index. There is a
one-to-one relationship between the interface and the history index. The interface
must be specified in order for the RMON history to be created.
Options
interface-nameSpecify the interface to be monitored within the specified entry of
the RMON history of Ethernet statistics.

Related Topics


owner
Syntax
Hierarchy Level
Release Information
Description
Options
owner owner-name;
[edit snmp rmon history]

Specify the user or group responsible for this configuration.
owner-nameThe user or group responsible for this configuration.
Range: 0 through 32 alphanumeric characters

Related Topics


1698
interface
Chapter 105: Configuration Statements for Network Management
rmon
Syntax
Hierarchy Level
Release Information
Description
rmon {
history history-index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
[edit snmp]

RMON is an existing feature of JUNOS Software.
The RMON specification provides network administrators with comprehensive
network fault diagnosis, planning, and performance tuning information. It delivers
this information in nine groups of monitoring elements, each providing specific sets
of data to meet common network monitoring requirements. Each group is optional,
so that vendors do not need to support all the groups within the MIB.
JUNOS Software supports RMON Statistics, History, Alarm, and Event groups. The
EX Series documentation describes only the rmon history statement, which was added
with this release.
Default
Related Topics
Disabled.

rmon
1699
1700
rmon

Book Software Ex Series 96 All

Uploaded by

Copyright:

Available Formats

Book Software Ex Series 96 All

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Book Software Ex Series 96 All

Uploaded by

Copyright:

Available Formats

JUNOS Software Guide for EX Series Ethernet Switches

Complete Software Guide for JUNOS Software for EX Series

Juniper Networks, Inc.

END USER LICENSE AGREEMENT

How to Use This Guide ...................................................................................lv

JUNOS Software for EX Series Switches Product Overview

Software Overview ..........................................................................................3

Uplink Modules ................................................................................26

Complete Software Configuration Statement Hierarchy

Complete Software Configuration Statement Hierarchy

[edit access] Configuration Statement Hierarchy ...........................................39

Software User Interfaces

JUNOS Command-Line Interface

CLI User Interface Overview ..........................................................................57

J-Web Graphical User Interface

J-Web User Interface for EX Series Switches Overview ..................................61

Initial Configuration, Software Installation, and Upgrades

Connecting and Configuring an EX Series Switch (CLI Procedure) .................79

Software Installation ......................................................................................85

Installing Software on the Default Master Routing Engine ................93

Configuration File Management

Understanding Configuration Files for EX Series Switches ...........................103

Software Licenses for the EX Series Switch Overview ..................................121

Understanding Basic System Concepts

Understanding Alarm Types and Severity Levels on EX Series Switches ......131

Configuring Basic System Functions

Configuring Management Access for the EX Series Switch (J-Web

Administering and Monitoring Basic System Functions

Monitoring Hosts Using the J-Web Ping Host Tool .......................................139

Monitoring System Process Information ......................................................146

Troubleshooting Basic System Functions

Troubleshooting Loss of the Root Password ................................................165

Operational Mode Commands for Basic System Functions

clear snmp rmon history .............................................................................170

Understanding Virtual Chassis

Virtual Chassis Overview .............................................................................177

Mastership Priority ................................................................................182

Examples of Configuring Virtual Chassis

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Configuring Virtual Chassis

Configuring a Virtual Chassis (CLI Procedure) ..............................................265

Verifying Virtual Chassis

Command Forwarding Usage with a Virtual Chassis Configuration .............285

Troubleshooting Virtual Chassis

Troubleshooting a Virtual Chassis Configuration ..........................................295

Configuration Statements for Virtual Chassis

[edit virtual-chassis] Configuration Statement Hierarchy .............................297

Operational Mode Commands for Virtual Chassis

clear virtual-chassis vc-port statistics ...........................................................312

EX Series Switches Interfaces Overview ......................................................339

Examples of Configuring Interfaces

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................377

Configuring Aggregated Ethernet LACP (CLI Procedure) ..............................389

Monitoring Interface Status and Traffic .......................................................395

Troubleshooting an Aggregated Ethernet Interface ......................................403

Configuration Statements for Interfaces

Interface Configuration Statement Hierarchy ..............................................413

Operational Mode Commands for Interfaces

show interfaces ge- ......................................................................................442