Académique Documents
Professionnel Documents
Culture Documents
Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided herein. Third party product descriptions and related technical details provided in this document are for information purposes only and such products are not supported by Juniper Networks. All information provided in this guide is provided as is, with all faults, and without warranty of any kind, either expressed or implied or statutory. Juniper Networks and its suppliers hereby disclaim all warranties related to this guide and the information contained herein, whether expressed or implied of statutory including, without limitation, those of merchantability, tness for a particular purpose and noninfringement, or arising from a course of dealing, usage, or trade practice.
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 EX Series Ethernet Switches in the Branch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Section 1: Routing and Switching at the Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Section 1: Physical Connectivity and Layer 2 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Section 2: High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Section 3: Switching and Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Section 4: Switch Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Section 5: Port Security and Network Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Section 1.1: Physical Connectivity and Layer 2 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Port Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 VLAN Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Option 1: VLAN Centric. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Option 2: Port Centric. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 RVI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Management Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 IPT Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Option 1: PC and IP Phone on Separate Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Option 2: PC and IP Phone on the Same Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Section 1.2: High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Virtual Chassis Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Mastership Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Preprovisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 GRES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Section 1.3: Routing and Switching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Inter-VLAN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Unicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Static Routes (Small and Medium Branch Offices). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 OSPF (Large Branch Office). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Multicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Spanning Tree Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 RSTP (Ideal for Small/Medium Branch Offices). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 MSTP (Ideal for Large Branch Office). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
BPDU Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Redundant Trunk Group (RTG). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Section 1.4: Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 DHCP/BOOTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 LLDP/LLDP-MED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 CoS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Forwarding Classes (Queuing). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Section 1.5: Security and Switch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Firewall Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Port-Level Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Access-Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 DHCP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Dynamic Arp Inspection (DAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 IP Source Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Switch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Section 2: Routing to the Edge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Section 2.1: Physical Connectivity and Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Section 2.2: High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Section 2.3: Routing and Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 RIP (for Small and Medium Branch Offices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 OSPF (for Large Branch Offices). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Multicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Switching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Section 2.4: Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 DHCP Services DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Section 2.5: Security and Switch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Appendix A: Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Table of Figures
Figure 1: Highly available branch office topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 2: Mixed L2 and L3 environment for routing at the core deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 3: Physical and basic layer 2 configurations for routing at the core deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Figure 4: Switch divided into separate VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure 5: Separate physical connection for PC and IP phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Figure 6: Independent LAN connections for PC and IP phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Figure 7: High availability scenarios for routing at the core deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 8: LAG can be formed between any devices that have the LAG capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 9: Logical representation of VRRP between L3 switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 10: Implementation of routing and switching for routing at the core deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Figure 11: Spanning-tree layer 2 forwarding topology for MSTI 1 and MSTI 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 12: Switch features implementation for routing at the core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 13: EX Series switches CoS model for classification, queuing, and scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Figure 14: Security features for routing in the core deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Figure 15: Hacker posing as the end device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Figure 16: Diagram of routing to the edge (access). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Figure 17: Physical connectivity and basic L2 features in routing to the access deployment. . . . . . . . . . . . . . . . . . . . . . . . . . 36 Figure 18: HA deployment for routing to the edge method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Figure 19: Routing and switching implantation for routing to the access deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Figure 20: OSPF areas for the large branch office in routing to the access deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Figure 21: Services implementation for routing to the edge deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Figure 22: Security and switch management implementation for routing to the access deployment. . . . . . . . . . . . . . . . . 40
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Introduction
This Implementation Guide is targeted at the SE community and other technical audiences to describe how to deploy Juniper Networks EX Series Ethernet Switches in a branch environment. This document covers implementation and configuration for the following EX Series switch features: VLAN Spanning Tree Protocol (STP) Routing Class of service (CoS) DHCP services High Availability (HA) Security Management Since the focus of this document is on EX Series in highly available branch offices, configuration of Juniper Networks J Series Services Routers is not covered. Application Notes on J Series routers can be found under the Literature tab on the J Series Web page at www.juniper.net.
Hardware
This document will cover the EX Series, including the Juniper Networks EX3200 Ethernet Switch and the Juniper Networks EX4200 Ethernet Switch with Virtual Chassis technology.
Software
All features described in this document are available in Juniper Networks Junos Software 9.2 or later for the EX Series switches.
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
FLOOR 1
Security Camera
Security Camera
Local Servers
POE POE
EX4200 Switch
POE
SRX Series
EX2200/ EX3200
POE POE POE
Access Point
Security Camera
Local Servers
Security Camera
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
In branch offices with a small number of users (typically less than 20 and referred to as a micro-branch), the access switch and branch router functions may be consolidated within a single device, merging the access and core layers. This document provides implementation guidelines and configuration examples for EX Series Ethernet Switches in small, medium, and large branch offices. Configuration of Layer 2 and Layer 3 protocols within the access and core layers of the branch office is discussed, as well as implementation details on connectivity, HA, security, and services. The configuration of branch routers, such as J Series routers, is not covered in detail. This document is broken into two main sections, which represent two different deployment methods: Routing and Switching at the Core, and Routing to the Edge. Section 1: Routing and Switching at the Core: A traditional branch-office deployment is a mixture of Layer 3 (core) and Layer 2 (between the core and access). Network engineers are faced with complex designs involving routing and Spanning Tree. And because of the complexity, network management and visibility can be a challenge. Section 2: Routing to the Edge: Creating a Layer 3 network by extending routing to the edge (or access layer) is the optimal branch-office deployment since it creates a deterministic network, maximizes redundant links (ECMP) without the worry of a Layer 2 loop, and has superior convergence characteristics. A Layer 3 network also reduces the number of protocols required to run the network (such as Spanning Tree and VRRP) implemented between the core and edge/ access, which means less time managing and more time to innovating the network. Each of the previous sections is further divided into five subsections: Subsection 1: Physical Connectivity and Basic Switch Configuration Subsection 2: High Availability Subsection 3: Routing and Switching Subsection 4: Switch Services Subsection 5: Security and Network Management
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
WAN
WAN
Layer 3 Layer 2
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
1GbE Access Port Access Port with Voice VLAN RVI Management Interface
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
WAN
WAN
Core Router A
1 1
L3 Link
2
Layer 3 Layer 2
Core Switch A
1
L2 Trunk
6 1 3 4
1 6 2
AS A
AS B
Figure 3: Physical and basic layer 2 configurations for routing at the core deployment
Port Connection
On the EX Series, port interfaces are configured as Layer 2 Access, Layer 2 Trunk, or Layer 3 interface. Access (Layer 2): An access port is a member of a single VLAN, which is common for a host port. The packet on the wire is unaltered (no VLAN identifier) with the exception of the voice over IP (VoIP) feature, which will be discussed in further detail later in the IPT Deployment section.
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Use the show interface <name> command (as shown in the following) to determine port type.
root> show interfaces ge-0/0/0.0 Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 48) Flags: SNMP-Traps Encapsulation: ENET2 Bandwidth: 0 Input packets : 0 Output packets: 0 Protocol eth-switch, MTU: 0 Flags: None <--- Access Port root> show interfaces ge-0/1/0.0 Logical interface ge-0/1/0.0 (Index 87) (SNMP ifIndex 104) Flags: SNMP-Traps Encapsulation: ENET2 Bandwidth: 0 Input packets : 0 Output packets: 0 Protocol eth-switch, MTU: 0 Flags: Is-Primary, Trunk-Mode <--- Trunk Port root> show interfaces ge-0/1/1.0 Logical interface ge-0/1/1.0 (Index 88) (SNMP ifIndex 105) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Bandwidth: 0 Input packets : 0 Output packets: 0 Protocol inet, MTU: 1500 Flags: None <--- Layer 3 Port Addresses, Flags: Is-Preferred Is-Primary Destination: 10.1.1/24, Local: 10.1.3.1, Broadcast: 10.1.3.3
VLAN
VLANs logically divide a Layer 2 domain into separate VLANs within a switch. Each VLAN confines all local traffic within its own domain. Juniper recommends a minimum of three VLANsone for user traffic, one for voice traffic, and one for inband managementfor small and medium branch offices and four VLANs for large branch offices, with the additional VLAN reserved for server traffic (see Figure 4).
VLAN SERVER
EX Series Switch
VLAN IPT
VLAN DATA
EX Series switches support 4,095 VLANs, any of which may be assigned to either an access or trunk port. In the EX Series switches, creating and deleting VLANs is done under the VLANs stanza. The following configuration example shows how to create a VLAN.
10
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
VLAN Membership
Depending on user preference, there are two different ways of assigning a port to a VLAN.
RVI
Routed VLAN interface (RVI) is a logical Layer 3 interface for a VLAN that allows communication between VLANs and other Layer 3 networks. Access switches need one RVI for management interfaces. Core switches need an RVI for each VLANserver, data, voice, management, and so on. The following example shows the two steps required to configure a single RVI. Step 1: Congure an IP address for the RVI interface:
root@coreB> show vlans brief Name data default management server voice Tag 5 1 4 10 Address 10.1.5.252/24 10.1.2.252/24 10.1.4.252/24 10.1.5.252/24
11
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Management Interface
EX Series switches have an out-of-band Ethernet interface (me0) and serial port (console 0) for management. For secure management, it is good practice to manage the switch out-of-band, but that can require a separate infrastructure. For branch offices, the cost does not justify a separate management infrastructure. Instead, in-band management interface (on the same network as the data) is more cost-effective. Any Layer 3 interfaces such as, lo0, RVI, or L3 interface can be an in-band management interface. Loopback 0 is commonly used as the in-band management interface. However there is certain deployment where in-band management interface is other than lo0 such as access switches as in this type of deployment. In cases where the access switch is strictly a Layer 2 device, configuring a RVI on the management VLAN will eliminate the need to configure a lo0. Since routing protocols are enabled at the core layer, lo0 should be configured as follows:
root@coreB> show interfaces lo0.0 Logical interface lo0.0 (Index 88) (SNMP ifIndex 16) Flags: SNMP-Traps Encapsulation: Unspecified Input packets : 6 Output packets: 6 Protocol inet, MTU: Unlimited Flags: None Addresses, Flags: Is-Default Is-Primary Local: 10.1.2.1
IPT Deployment
There are two ways to physically connect desktop computers and IP phones to the access switch: with the PC and IP phone on separate ports or with the PC and IP phone sharing a port.
EX Series Switch
12
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
root@access> show ethernet-switching interfaces ge-0/0/2.0 detail Interface: ge-0/0/2.0 Index: 66 State: up VLANs: data untagged unblocked voice tagged unblocked
Note: For full IPT implementation, please refer to the IP telephony (IPT) Application Note.
13
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
WAN
WAN
Core Router A
1 1 3
L3 Link
2
Layer 3 Layer 2
Core Switch A
1
L2 Trunk
L2 Trunk
2
AS A
AS B
1 2
Figure 7: High availability scenarios for routing at the core deployment LAG
Link aggregation group (LAG) is the process of grouping multiple physical links into one virtual bundle to increase bandwidth and provide physical link redundancy. LAGs can be formed either statically or dynamically through LACP, which can either be a Layer 2 or Layer 3 port. LACP is part of the IEEE 802.3ad specification that defines the bundling of several physical ports. Junos has an added feature with LACP that provides basic error checking for misconfigurations. This feature ensures LAG is properly configured on both sides of the bundle. If a misconfiguration is detected, the bundle will not be active.
J Series Router EX Series Switch
Figure 8: LAG can be formed between any devices that have the LAG capability
On the EX Series switches, LAG is configured as aggregated Ethernet (ae). When forming a LAG, all link speeds and duplex conditions need to be identical. There are a maximum of eight links per LAG. LAG ports do not need to be contiguous and may be across switch members in a Virtual Chassis configuration. For more information on Virtual Chassis technology, read the white paper Juniper Networks EX4200 Ethernet Switches Deliver True Chassis Functionality in a Stackable Form Factor. Hashing is done automatically, based on the packet header. For non-IP packets, hashing is based on source and destination MAC addresses. For IP packets, hashing is based on the source and destination of IP and TCP/UDP ports. Hashing on the EX Series is not user configurable. For HA, it is recommended that redundant Ethernet connections be configured between the router and the switch. LAG may be used in larger branch locations to support increasing performance demands between core and access switches.
14
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
root@access# set interfaces ae0.0 family ethernet-switching port-mode trunk vlan members all
The following show commands can be used to confirm that the LAG is up and running.
root@access> show lacp interfaces ae0 Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity ge-0/1/2 Actor No No Yes Yes Yes Yes Fast Active ge-0/1/2 Partner No No Yes Yes Yes Yes Fast Active ge-0/1/3 Actor No No Yes Yes Yes Yes Fast Active ge-0/1/3 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State ge-0/1/2 Current Fast periodic Collecting distributing ge-0/1/3 Current Fast periodic Collecting distributing
Virtual Chassis Technology
EX4200 switches may accommodate greater port densities by adding additional EX4200 switches to form a Virtual Chassis configuration. Virtual Chassis configurations can be created either by connecting EX4200 switches with the dedicated rear-panel Virtual Chassis ports (VCPs) or through the optional front-panel two-port 10 Gigabit Ethernet or four-port Gigabit Ethernet uplink module. To enable VCP on the uplink ports, the following command is required on both switches in Junos operational mode.
root> show virtual-chassis status Virtual Chassis ID: 0019.e250.8240 Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt
Mastership Serial No Model priority BM0207431981 ex4200-24t 128 BP0207452211 ex4200-48t 128
15
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
In the previous command, a Virtual Chassis configuration is formed through the dedicated Virtual Chassis ports (vcp0) and the front-panel uplink module (vcp-255/1/3). When EX4200 switches are deployed in a Virtual Chassis configuration, the member switches automatically elect a master and backup Routing Engine. The master Routing Engine is responsible for managing the Virtual Chassis configuration, while the backup is available to take over in the event a master failure. All other switches in a Virtual Chassis configuration take on the role of a line card, and are eligible as a master or backup Routing Engine if the original master or backup were to fail.
Mastership Priority
There is a specific master election process when a Virtual Chassis configuration is formed. Upon bootup, all members are considered eligible candidates and participate in the election. The Master Election Decision Tree determines which switch becomes the master. The master and backup Routing Engines are assigned based on the following criteria: 1. Highest Mastership priority (default 128, user configurable 1 thru 255) 2. Master in previous boot among eligible switches 3. Uptime of the eligible masters (if uptime difference is more than 1 minute) 4. Lowest switch-based MAC address
root# set virtual-chassis preprovisioned member 0 serial-number xxxxxxxxxxxx role routing-engine root# set virtual-chassis preprovisioned member 0 serial-number xxxxxxxxxxxx role routing-engine root# set virtual-chassis preprovisioned member 0 serial-number xxxxxxxxxxxx role line-card
Step 3: Connect the members.
16
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
GRES
Graceful Routing Engine switchover is a Junos feature that facilitates seamless failover between the master and backup Routing Engines. When graceful Routing Engine switchover is enabled, the kernel and certain tables (MAC address, route tables, port states, and so on) are synchronized between the master and the backup Routing Engine, eliminating the need for the backup Routing Engine to relearn states and routes should the master Routing Engine fail. Minimal packet loss should be expected during master failover when graceful Routing Engine switchover is configured.
R VR
VR
RP
Virtual Chassis coreA 10.1.5.253 Backup VRRP 0 Host 1 IP: 10.1.5.252 GW: 10.1.5.254
VLAN Data
root@coreB# set interfaces vlan.5 family inet 10.1.5.252/24 vrrp-group 0 virtualaddress priority 250 10.1.5.254 accept-data preempt
The following output shows a summary of VRRP groups, VR state, and local and virtual IP addresses.
root@coreB> show vrrp summary Interface State Group vlan.1 up 0 vlan.5 vlan.10 up up 0 0
17
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Core Router A
2 2 4
L3 Link
3 8 5
Layer 3 Layer 2
3
L2 Trunk
6 1
AS A
AS B
1 8
5 7
Figure 10: Implementation of routing and switching for routing at the core deployment
Routing
Routing provides IP communication between networks. Networking devices use a route table to direct traffic. The route table can either be static or dynamically populated. EX Series switches support static route and dynamic (BGP, OSPF, IS-IS, and RIP) routing protocols.
Inter-VLAN Routing
Inter-VLAN routing is routing between VLANs within the same device. Inter-VLAN routing of directly connected networks is enabled by default when logical L3 VLAN interfaces are created. In small and medium branch offices, the J Series router is responsible for inter-VLAN routing. In larger branch offices, the core switches are typically responsible for inter-VLAN routingno configuration is required on all branch offices.
Unicast Routing
Unicast routing is the process of sending a packet from a single source to a single destination. A router or Layer 3 switch (such as an EX Series switch) will have a route table to reference on where to send the traffic. Entries in the unicast route table may be either statically configured or dynamically populated.
18
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
root@access# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 The show route command will display all the active routes. root@access> show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 10.1.1.0/24 10.1.1.1/32 *[Static/5] 00:00:05 > to 10.1.1.254 via vlan.1 *[Direct/0] 00:00:05 > via vlan.1 *[Local/0] 00:02:44 Local via vlan.1
root@coreB# set protocols ospf area 0.0.0.0 interface ae0.0 authentication md5 1 key peerless
If the authentication fails, then the interface will not establish adjacency with the neighboring OSPF router. Step 2: Advertise the VLAN networks (data, voice, server, and management) to corporate without enabling OSPF on the RVI.
root> show ospf neighbor Address Interface 10.1.3.2 ae0.0 10.1.3.6 ae1.0
ID 10.1.2.1 10.1.2.1
Pri 1 1
Dead 30 30
19
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
ECMP
OSPF supports equal-cost multipath (ECMP). When building the shortest path tree, OSPF calculates the shortest path to a given destination. If equal-cost paths exist, OSPF inserts the next hops for all equal-cost paths to a destination in the routing table. In the large branch office, ECMP should be configured on all core enabled routing devices.
root@coreB# set policy-options policy-statement ECMP then load-balance per-packet root@coreB# set routing-options forwarding-table export ECMP
In a mixed L2/L3 environment where EMCP is combined with different ARP and MAC aging timers, unknown unicast flooding will occur due to asymmetrical routinga condition in which the sending (host to server) and receiving (server to host) paths are different. On one of the core switches (usually the switch that is the backup VRRP), the hosts MAC address ages out because the MAC aging timer never gets reset. There are two different ways to mitigate this problem. The first requires a lot of route manipulation on the core routers. The secondand easieroption is to match the ARP timer and MAC aging timer on the core switches to be the same for all VLANs. The MAC aging timer is configurable in seconds and defaults to 300 seconds. The ARP timer is configurable in minutes and defaults to 20 minutes.
root@coreB# set system arp aging-timer 20 root@coreB# set vlans data mac-table-aging-time 1200
Multicast Routing
Multicast routing is the process of delivering packets from a single source to a specific subset of users or many destination members. Protocol Independent Multicast (PIM) is the predominant multicast routing protocol used today. PIM operates in three basic modes: PIM dense mode (flood and prune): Multicast join requests are initially flooded to all PIM-DM-enabled routers. If there are no downstream members, then the router will prune towards the source. PIM sparse mode (explicit join): The destination/receiver member must send an explicit join request to the rendezvous point (RP) router. PIM source-specific multicast (one-to-many model): Receiving hosts must join with either IGMPv3 or MLDv2. Juniper recommends PIM sparse mode for branch offices. PIM sparse mode is configured at the core layer devices. Step 1: Enable PIM sparse mode on all multicast forwarding links (that is, uplinks, user vlan, and so on)
root@coreB> show pim neighbors Instance: PIM.master Interface ae0.0 ae1.0 vlan.5 IP 4 4 4 V Mode 2 2 2 Option HPG HPG HPG Uptime 00:41:42 00:41:40 00:41:37 Neighbor addr 10.1.3.2 10.1.3.6 10.1.5.253
20
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Step 2: Since both core switches are enabled for multicast routing, the coreB switch must be confirmed as the designated router (DR) for the VLAN data. Remember, coreB is the root for MSTI 2. The DR is responsible for sending joins to the RP and forwarding multicast traffic for the LAN, thus avoiding duplicate multicast requests from being forwarded to the LAN (one by each of the core switches). If priority is not configured, then the interface with the highest IP address will become the DR. The default priority is 1.
root@coreB> show pim neighbors detail | find vlan. Interface: vlan.5 Address: 10.1.5.252,IPv4, PIM v2, Mode: Sparse, Join Count: 0 Hello Option Holdtime: 65535 seconds Hello Option DR Priority: 250 Hello Option Generation ID: 186023536 Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Address: 10.1.5.253,IPv4, PIM v2, Join Count: 0 Hello Option Holdtime: 105 seconds 85 remaining Hello Option DR Priority: 1 Hello Option Generation ID: 582692152
Step 3: Configure two multicast dense groups, 224.0.1.39 and 224.0.1.40. Auto-RP requires multicast flooding to announce potential RP candidates and to discover the elected RPs in the network. Multicast flooding occurs through a PIM dense mode model where group 224.0.1.39 is used for announce messages and group 224.0.1.40 is used for discovery messages.
root@coreB# set protocols pim dense-groups 224.0.1.39 root@coreB# set protocols pim dense-groups 224.0.1.40
Step 4: RP is like the multicast gatekeeper. All PIM sparse mode routers must determine where the RP is located. RP information can either be configured statically or learned dynamically. From a manageability perspective, dynamically is preferable to static.
root@coreB> show pim rps Instance: PIM.master Address family INET RP address Type 10.255.14.144 auto-rp Address family INET6
Spanning Tree Protocol
Spanning Tree is a Layer 2 protocol ensuring a loop-free network by blocking redundant Layer 2 paths in the LAN. The EX Series switches support IEEE 802.1D (STP), 802.1s (Rapid Spanning Tree Protocol or RSTP) and 802.1w (Multiple Spanning Tree Protocol or MSTP). On the EX Series switches, RSTP is enabled by default. Note: For a better understanding of Spanning Tree, please refer to the implementation guide Spanning Tree Protocol in Layer 2/Layer 3 Environments.
21
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port
MSTP (Ideal for Large Branch Office)
MSTP is best suited for large branch-office deployments where the LAN consists of core and access switches with redundant links. It is an extension of RSTPwith many of the same featureswith the added capabilities of Multiple Spanning Tree Instances (MSTIs). RSTP supports only a single instance per switch or Virtual Chassis configuration, whereas up to 64 MSTI may be configured per switch/Virtual Chassis. MSTI allows all links to be in a forwarding state and still maintain a loop-free network. Step 1: Prior to configuring MSTP, RSTP must first be disabled or deleted.
root@coreB# set protocols mstp bridge-priority 8k root@coreB# set protocols mstp msti 1 bridge-priority 8k root@coreB# set protocols mstp msti 2 bridge-priority 4k
22
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
By splitting the root bridge between the two core switches, MSTI 1 will always be forwarding to coreA and blocking to coreB, while MSTI 2 will always be forwarding to coreB and blocking to coreA (see Figure 11).
Management VLAN Data VLAN Voice VLAN STP Forwarding STP Blocking
Note: All inter-switch links are trunk links and all VLANs are allowed
MSTI 1
Virtual Chassis coreA MSTI 2 Root FWD for Voice, Management Virtual Chassis Access Switch Virtual Chassis coreB MSTI 2 Backup Blocking for Voice, Management Virtual Chassis coreA MSTI 2 Backup FWD for Data
MSTI 2
Virtual Chassis coreB MSTI 2 Root Blocking for Data Virtual Chassis Access Switch
Figure 11: Spanning-tree layer 2 forwarding topology for MSTI 1 and MSTI 2
The following output is from the spanning-tree parameters for the switch.
root@coreB> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID CIST regional root CIST internal root cost Hello time Maximum age Forward delay Number of topology changes Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Hello time Maximum age Forward delay Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Hello time Maximum age Forward delay
Copyright 2010, Juniper Networks, Inc.
: : : : : : :
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
: 4098.00:19:e2:51:49:00 : 0 : 2
Step 3: Map VLANs to the MSTI. MSTI configurations must be the same for both core and access switches.
root@coreB# set protocols mstp msti 1 vlan [1 10] root@coreB# set protocols mstp msti 2 vlan [4 5]
The following command shows the MSTI configuration.
root@coreB> show spanning-tree mstp configuration MSTP information Context identifier : 0 Revision : 0 Configuration digest : 0x5c97faba14eb0262961fcff959a44bac MSTI Member VLANs 0 0,2-3,6-9,11-4094 1 4-5 2 1,10
BPDU Protection
The BPDU Protection feature protects the switching network from rogue switches connecting to the network, which could cause an undesired Layer 2 topology change. BPDU Protection is commonly deployed at the edge ports where BPDUs are not expected. If the protected port receives any BPDU, then the port goes into error (blocked) state.
root@access# set protocols mstp interface ae0.0 disable root@access# set protocols mstp interface ae1.0 disable
Step 2: Configure RTG.
root@access# set ethernet-switching-options redundant-trunk-group group RTG-1 interface ae0.0 root@access# set ethernet-switching-options redundant-trunk-group group RTG-1 interface ae1.0
Note: The keyword primary gives an interface a higher weight to be active and preempts.
24
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
The following output from RTG shows which link is active and forwarding.
root@access> show redundant-trunk-group Group Interface State Time of last flap name RTG-1 ae1.0 ae0.0 Up/Act Up Never Never
Flap count 0 0
Although Spanning Tree isnt required between the core and access ports, it is still recommended to enable Spanning Tree and/or BPDU protection on the user-facing ports of the access switches.
IGMP Snooping
Switches treat multicast traffic like a broadcast. Therefore, the multicast will flood to all ports in a Layer 2 domain. IGMP snooping constrains multicast traffic to only interested users in a switched network. With IGMP snooping enabled, a LAN switch monitors IGMP transmissions between a host (a network device) and a multicast router, keeping track of the multicast groups and associated member ports. IGMP snooping is enabled by default on EX Series switches. The following output is an IGMP snooping table taken from an access switch.
root@access> show igmp-snooping membership VLAN: data 225.1.23.1 * 252 secs Interfaces: ge-0/0/0.0, ge-0/0/1.0, ge-0/0/4.0, ge-0/0/13.0
Section 1.4: Services
This section will cover GVRP, LLDP/LLDP-MED, DHCP services, and CoS.
Management VLAN Data VLAN Voice VLAN Server VLAN AS Access Switch
1 2 3 4 5
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
WAN
WAN
Core Router A 2
2 5 5
L3 Link
1 5
Layer 3 Layer 2
4 4
4 2 2 5 5 3
AS A
AS B
25
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
DHCP/BOOTP Relay
DHCP is utilized by client devices to obtain parameters necessary for operating in an IP network from a centralized server. Typically the DHCP server is located on a different subnet. Since DHCP discovery is a Layer 2 broadcast packet and is not forwarded beyond the Layer 2 broadcast domain, DHCP relay (BOOTP relay) is required to forward the request from a client to a DHCP server to obtain the necessary IP parameters. The DHCP/BOOTP relay feature is typically configured on the routed interface for the VLANin this case the core devices: routers for small and medium branch offices and core switches for large branch offices.
root@access> show lldp neighbors LocalInterface Chassis Id Port info ae0.0 00:19:e2:50:87:a0 ae0.0 ae1.0 00:19:e2:50:ac:40 ae1.0
GVRP
GVRP is a standard Layer 2 protocol for creating, deleting, and pruning VLANs. If a host is a member of a VLAN that the switch is not part of, then the switch will dynamically create the VLAN and forward the VLAN requirement to all 802.1q trunks enabled for GVRP. GVRP also manages VLANs on trunk links. If a downstream switch does not have any members for a given VLAN, then the switch will not join the VLAN. The upstream switch will not need to forward any broadcast, multicast, or unknown unicast on the trunk link for that given VLAN. GVRP is recommended on all switch trunk links.
26
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
CoS
In the branch office, class of service (CoS) is critical to maintain a high-performance enterprise network and ensure prioritization of business-critical traffic when congestion occurs, as well as to meet latency and jitter requirements for specialized types of traffic. Under a high traffic load, voice, video, and other critical applications may be delayed by less critical or latency-/jitter-sensitive traffic in a best-effort (FIFO) queue. CoS manages the switchs resources based on traffic profile. It is recommended CoS be implemented at the access ports and any internetworking links (that is, routers and switches).
Figure EX
Classication
Network Control
Queuing Q7 Q6 Q5 Q4
Scheduling
13: Series
Network Control
Q3 Q2 Q1 Q0
root# set class-of-service forwarding-classes class voice queue-num 5 root# set class-of-service forwarding-classes class video queue-num 4 root# set class-of-service forwarding-classes class business_applications queuenum 2
27
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
If required, an additional forwarding class can be defined. Once committed, the queues are created for all ports. The following output is of the egress queues that were just configured.
root# run show interfaces ge-0/0/0 detail | find egress Egress queues: 8 supported, 5 in use Queue counters: Queued packets Transmitted packets 0 best-effort 0 0 1 assured-forw 0 0 2 business_app 0 0 4 video 0 0 5 voice 0 0 7 network-cont 0 0 Active alarms : None Active defects : None
Classication
Dropped packets 0 0 0 0 0 0
EX Series switches can classify traffic based on QoS (802.1p, DSCP, or IP Precedence), L2/L3 address, L4 ports, or any combination of the aforementioned. There are two types of classifiers on the EX Series switches: Behavior aggregate (BA) classifiers: Distinguish traffic base on 802.1p, DSCP or IP Precedence Multifield (MF) classifiers: Distinguish traffic on multiple fields, a combination of source and destination of L2/L3 address, L2/L3 QoS, and/or TCP/UDP ports This section only covers the BA classifiers. Step 1: Enter into CoS classifiers hierarchy and create classification profile based on DSCP.
Voice Application
Business Application
28
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
root# set forwarding-class root# set forwarding-class root# set forwarding-class root# set forwarding-class [010010 011010] root# set forwarding-class [010100 011100]
voice loss-priority low code-points 101110 video loss-priority low code-points 100110 video loss-priority high code-points [100100 100010] business_applications loss-priority low code-points business_applications loss-priority high code-points
The following output shows the DSCP classifier just created. Note: Just a snippet is provided.
root# run show class-of-service classifier name branch_classifiers Classifier: branch_classifiers, Code point type: dscp, Index: 39944 Code point Forwarding class Loss priority 000000 best-effort low 000001 best-effort low ... 010010 business_applications low 010011 best-effort low 010100 business_applications high ... 011010 business_applications low 011011 best-effort low 011100 business_applications high ... 100010 video high 100011 best-effort low 100100 video high 100101 best-effort low 100110 video low ... 101110 voice low ... 110000 network-control low 110001 network-control low 111111 network-control low
Scheduling
The next step is to allocate queue buffers and configure queue scheduling. Juniper recommends the following configurationnetwork-control and voice traffic should have at least a 5 percent buffer allocation and be enabled as a strict high-priority (SP) queue. The application queue should have between a 30 and 35 percent buffer allocation and a transmit rate of 40 percent. The best-effort will have the remaining buffer and transmit-rate allocation. Step 1: Enter CoS scheduler.
29
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Step 2: Create scheduler profile for network-control, voice, video, business applications, and best-effort. Buffer size, queue priority (low or strict-high), and transmit-rate (weight) can be defined within each profile.
root# root# root# root# root# root# root# root# root# root# root# root# root#
set set set set set set set set set set set set set
nc_scheduler buffer-size percent 5 nc_scheduler priority strict-high voice_scheduler buffer-size percent 5 voice_scheduler priority strict-high video_scheduler buffer-size percent 15 video_scheduler priority low video_scheduler transmit-rate percent 50 bapp_scheduler buffer-size percent 25 bapp_scheduler priority low bapp_scheduler transmit-rate percent 35 be_scheduler buffer-size remainder be_scheduler priority low be_scheduler transmit-rate remainder
Note: On the EX Series, the egress queues can either be a strict high-priority queue (SP) or a low-priority queue. Strict high-priority queues must always be the highest numbered queues. Any queues that are not SP are considered low priority, which are SDWRR. Step 3: Enter the CoS scheduler map and create a profile.
network-control scheduler nc_scheduler voice scheduler voice_scheduler video scheduler video_scheduler business_applications scheduler bapp_scheduler best-effort scheduler be_scheduler
root# set ge-0/0/0 scheduler-map branch_scheduler unit 0 classifiers dscp branch_ classifiers root# set ae0 scheduler-map branch_scheduler unit 0 classifiers dscp branch_classifiers
The following output is the CoS summary for the interface.
root> show class-of-service interface ge-0/0/0 Physical interface: ge-0/0/0, Index: 130 Queues supported: 8, Queues in use: 5 Scheduler map: branch_scheduler, Index: 48327 Input scheduler map: <default>, Index: 3 Logical interface: ge-0/0/0.0, Index: 2684275700 Object Name Type Classifier branch_cos dscp Index 39944
30
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Firewall Filter on Management Interface SSH Access-Security Note: Management, Data, and Voice 802.1X-Single VLANs are congured on the L2 trunk link 802.1X-Multiple J-Web/NSM
Layer 3 Layer 2
3
L2 Trunk
1 3 5 3 4 2
L2 Trunk
6
AS A
AS B
3 5
2 3 4
6 Virtual
EX4200 Chassis
31
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Step 2: Define the firewall filter to accept access connections from trusted sources. The following is an example for SSH. Additional terms are needed for NSM for all branch sites and OSPF and multicast (PIM) for large branch offices.
root# set term ssh from source-address 10.255.1.0/24 root# set term ssh from protocol tcp source-port ssh root# set term ssh then accept
Step 3: Apply the filter on lo0. In the case of small and medium branch offices, apply it to the RVI (vlan.1). The following sample configuration was performed on lo0.
Port-Level Access
802.1X is an IEEE standard that permits port-level access to end users. Teaming 802.1X with Juniper Networks UAC allows administrators to define access privileges such as assigning VLANs and pushing policies (that is, CoS, firewall filters, and so on) down to the port level. Based on physical connectivity, there are three 802.1X modes used to authenticate users when accessing the network. These three authentication modes are: Single: This requires one supplicant to authenticate to an authenticator port. All other supplicants connecting to the authenticator port after the first has connected successfully, whether they are 802.1X enabled or not, are permitted to access the port without further authentication. If the first authenticated supplicant logs out, all other supplicants are locked out until a new supplicant successfully authenticates to the port. Single-secure: This allows only one supplicant to authenticate to an authenticator port. No other supplicant can connect to the authenticator port until the first supplicant logs out. Multiple: This authenticates multiple supplicants individually on one authenticator port. There is no limit to the number of supplicants that can be configured by a port. This should be used when the port is connected to a wireless access point or in a daisy-chained IPT deployment. It is highly recommended that 802.1X be implemented on all access switches. Step 1: Configure UAC or radius server information, IP address, and password.
root@access# set access profile corp_radius authentication-order radius radius authentication-server 10.255.1.100
Step 3: Enable 802.1X on the interface and determine which radius profile to authenticate against. For a single device connected to the switch interface, use single-secure. For multiple devices connected to a single switch interface (that is, access point or daisy-chained IPT deployment), then use multiple.
root@access# set protocols dot1x authenticator authentication-profile-name corp_radius interface ge-0/0/0.0 supplicant multiple
32
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Option: For devices such as IPT or printers that cannot authenticate via 802.1X, use mac-bypass as an alternative authentication method.
root@access> show dot1x interface 802.1X Information: Interface Role State ge-0/0/0.0 Authenticator Authenticated ge-0/0/1.0 Authenticator Connecting ge-0/0/3.0 Authenticator Authenticated
Access-Security
There are three access-security features that should be deployed on the access switches to prevent man-in-themiddle spoofing attacks, DHCP snooping, dynamic ARP inspection, and IP source guard.
Email Server L2/L3 Switch
Victim
Attacker
33
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
The following command is to configure static entry for the DHCP snooping database. This is for devices that have static IP addresses and do not rely on DHCP.
root@core# set ethernet-switching-options secure-access-port interface ge-0/0/0.0 static-ip 10.1.4.10 mac 0b:0b:0b:0b:0b:0b vlan server
The following command shows the DHCP snooping table.
root@access> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) 0A:0A:0A:0A:0A:0A 10.1.5.10 67678 0C:0C:0C:0C:0C:0C 10.1.5.15 67678 0D:0D:0D:0D:0D:0D 10.1.10.12 77478
Dynamic Arp Inspection (DAI)
DAI validates ARP packets on the network. The switch will intercept ARP reply packets from access ports and check them against the IP-MAC database populated by DHCP snooping. If a mismatch is found, then the ARP packet will be dropped, preventing any man-in-themiddle attacks such as ARP spoofing/poisoning.
system services ssh protocol-version v2 system services netconf ssh snmp view abc oid .1 include snmp community public view abc snmp community public authorization read-only
34
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
WAN
WAN
Core Router A
Layer 3 Layer 2
Core Switch A
AS A
AS B
35
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
1GbE Access Port Access Port with Voice VLAN RVI Management Interface
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
WAN
WAN
Core Router A
1 1 2 4 1 1 5 6
Layer 3 Layer 2
Core Switch A
1 5 2 6 3 1 4
1 5 2 1
AS A
AS B
1
1 3
1 4 5 2 1 6
Figure 17: Physical connectivity and basic L2 features in routing to the access deployment
Differences between extending routing to the access layer and routing only in the core are: All internetworking links are Layer 3. VLANs do not span beyond the local switches. RVI is now configured at the access switches. All management interfaces are lo0.
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
Internet
WAN
Internet
1
1 2 1 1
SRX Series
Core Switch A
AS A
1 2
AS B
1 2
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
Internet
WAN
Internet
2 3 4 5 6
SRX Series
Core Switch A
AS A
4 Chassis
AS B
2 5
3 6
4 Chassis
EX4200 Virtual
Figure 19: Routing and switching implantation for routing to the access deployment
Routing
Inter-VLAN routing as well as multicast and unicast routing are configured on the access switches. Refer to the section before 1.3 for details.
root@access# set policy-options policy-statement directly_connected from interface [lo0.0 vlan.5 vlan.10] root@access# set policy-options policy-statement directly_connected then accept
Step 2: Enter RIP hierarchy.
37
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Step 5: Apply the policy to the RIP group to generate advertisements of the directly connected networks.
root@access# show rip neighbor Source Neighbor State Address ----------- ------ae0.0 Up 10.1.2.1
OSPF (for Large Branch Offices)
In Met --1
OSPF is now enabled on both the core and access layer switches. The backbone area (area 0.0.0.0) will be between the core routers and switches (customer requirement may differ). Another area should be created for the access switches. Remember to advertise management interface (lo0).
J Series Router Area 0.0.0.0 Core Router
CORE ACCESS
Core Switch
Virtual Chassis
Virtual Chassis
Figure 20: OSPF areas for the large branch office in routing to the access deployment
ECMP
When routing is extended to the edge, then unknown unicast flooding in a Layer 2 environment due to asymmetrical routing is no longer a concern.
Multicast Routing
Multicast must be enabled on both the core and access layer devices. The only difference is that auto-RP configuration is no longer configured on the core devices but on the access layer switches. If multicast routing is required for the small branch office, then use the EX3200. PIM support for the EX2200 is planned for a later release.
Switching
Since the VLAN domain does not span more than one switch, Spanning Tree is not required. However, it is recommended that RSTP be enabled on all switches to prevent loops in the event of a configuration error.
38
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Note: Management, Data, and Voice VLANs are congured on the L2 trunk link
Internet
WAN
Internet
2 4 4
SRX Series
2 4 1 3 4 4
Core Switch A
AS A
4 4
AS B
3 4
4 4
Figure 21: Services implementation for routing to the edge deployment DHCP Services DHCP Server
Step 1: Enter the system services stanza and define the IP pool and subnet.
39
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Firewall Filter on Management Interface SSH Access-Security Note: Management, Data, and Voice 802.1X-Single VLANs are congured on the L2 trunk link 802.1X-Multiple J-Web/NSM
WAN
Internet
WAN
Internet
3 1 2 6
Core Switch A
AS A
Layer 3 Layer 2
AS B
5 3
2 3 4
Figure 22: Security and switch management implementation for routing to the access deployment
Summary
Remote branch offices are vital to todays high-performance enterprise. Deploying EX Series switches and J Series routers with Junos solves todays problems while providing investment protection for the future.
References
Branch LAN Connectivity Design Guide: www.juniper.net/solutions/literature/misc/905012.pdf Deploying IP Telephony with EX Series Ethernet Switches: www.juniper.net/solutions/literature/app_note/350131.pdf Spanning Tree Protocol in Layer 2/Layer 3 Environments: www.juniper.net/techpubs/en_US/Junos9.1/informationproducts/topic-collections/ex Series/implementation-guide/spanning-trees-ex Series.pdf
40
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Appendix A: Acronyms
ARP BPDU CoS DAI DHCP DDoS DoS DP GRES GVRP HA IPT LACP LAG LLDP LLDP-MED lo0 MSTI MSTP NSM OSPF PIM PIM DM PIM SM QoS RIP RP RSTP RVI SP SSH STP VLAN VRRP UAC WAN Address Resolution Protocol Bridge Protocol Data Unit Class of Service Dynamic ARP Inspection Dynamic Host Configuration Protocol Distributed Denial of Service Denial of Service Drop Precedence Graceful Routing Engine Switchover Generic Attribute Resolution Protocol VLAN Registration Protocol High Availability Internet Protocol Telephony Link Aggregation Control Protocol Link Aggregation Group Link Layer Discovery Protocol Link Layer Discovery Protocol-Media Endpoint Discovery Loopback 0 Multiple Spanning Tree Instance Multiple Spanning Tree Protocol Network and Security Manager Open Shortest Path First Protocol Independent Multicast PIM Dense Mode PIM Sparse Mode Quality of Service Routing Information Protocol Rendezvous Point Rapid Spanning Tree Protocol Routed VLAN Interface Strict Priority Secure Shell Spanning Tree Protocol Virtual LAN Virtual Router Redundancy Protocol Unified Access Control Wide Area Network
41
IMPLEMENTATION GUIDE - Deploying Juniper Networks EX Series Ethernet Switches in Branch Offices
Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net
APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 Kings Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803
EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601
To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
8010010-002-EN
Mar 2010
42