SRX 220 ex2200 routing instance + dhcp server + IPSEC + redundant aggregated interfaces ethernet-switching port-mode trunk, and redundando tagged

image_pdfimage_print

 

 

Configuration On srx220 cluster


 

{primary:node0}[edit]
root@srxC-1# show | display set
set version 12.1X46-D65.4
set groups node0 system host-name srxC-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.26/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set groups node1 system host-name srxC-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.27/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set apply-groups "${node}"
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "pppp"
set system services ssh
set system services telnet
set system services xnm-clear-text
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces vlan unit 11 description "VLAN unit 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN unit 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set routing-instances LAN instance-type virtual-router
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.1
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 low 172.23.12.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 high 172.23.12.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.1
set routing-instances LAN interface vlan.11
set routing-instances LAN interface vlan.12
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

 

Configuration on EX2200


 

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# show | display set
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v12
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces me0 unit 0 family inet address 10.128.10.249/24

 

Check DHCP server bindings on a routing-instance


 

{primary:node0}[edit]
root@srxC-1# run show dhcp server binding routing-instance LAN

IP address        Session Id  Hardware address   Expires     State      Interface
172.23.11.100     8           00:14:bf:70:24:5c  2419055     BOUND      vlan.11

{primary:node0}[edit]
root@srxC-1# run show dhcp server statistics routing-instance LAN
Packets dropped:
    Total                      182
    dhcp-service total         182

Messages received:
    BOOTREQUEST                2
    DHCPDECLINE                0
    DHCPDISCOVER               1
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                1

Messages sent:
    BOOTREPLY                  2
    DHCPOFFER                  1
    DHCPACK                    1
    DHCPNAK                    0
    DHCPFORCERENEW             0

{primary:node0}[edit]
root@srxC-1#

 

Configure reth2 for internet access


Create reth2 interface for redundant Internet Access, then put in on routing instance LAN. Then configure dhcp client.

 

Step 1. Increase number of reth interfaces.

 

set chassis cluster reth-count 3

Step 2. Assign interfaces to redundancy-group

 

set chassis cluster redundancy-group 3 node 0 priority 254
set chassis cluster redundancy-group 3 node 1 priority 2
{primary:node0}[edit]
root@srxC-1# set interfaces ge-0/0/1 gigether-options redundant-parent reth2

{primary:node0}[edit]
root@srxC-1# set interfaces ge-3/0/1 gigether-options redundant-parent reth2

Step 3. Create reth2, and configure description, Jflows, and dhcp client settings.

 

set interfaces reth2 description "RETH2 to Internet"
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 description "reth2.0 Internet Interface"
set interfaces reth2 unit 0 family inet sampling input
set interfaces reth2 unit 0 family inet sampling output
set interfaces reth2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth2 unit 0 family inet dhcp-client update-server

 

Step 4. Create security Zone Untrust

 

Create zone UNTRUST, assign interface reth2.0 to the zone.

Then specify dhcp, ike, ping and https as services on that interface.

 

set security zones security-zone UNTRUST description "UNTRUST towards Inet"
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services traceroute

 

DHCP Statistics and bindings.


 

{primary:node0}[edit]
root@srxC-1# run show dhcp client binding routing-instance LAN

IP address        Hardware address   Expires     State      Interface
94.225.225.166    00:10:db:ff:10:02  7005        BOUND      reth2.0

{primary:node0}[edit]
root@srxC-1# run show dhcp client binding st
                                          ^
syntax error, expecting .
root@srxC-1# run show dhcp client statistics routing-instance LAN
Packets dropped:
    Total                      3
    Send error                 3

Messages received:
    BOOTREPLY                  1
    DHCPOFFER                  0
    DHCPACK                    1
    DHCPNAK                    0
    DHCPFORCERENEW             0

Messages sent:
    BOOTREQUEST                2
    DHCPDECLINE                0
    DHCPDISCOVER               0
    DHCPREQUEST                2
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPRENEW                  0
    DHCPREBIND                 0

{primary:node0}[edit]

Final configuration:

set system services xnm-clear-text
set chassis aggregated-devices ethernet device-count 1
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 254
set chassis cluster redundancy-group 0 node 1 priority 2
set chassis cluster redundancy-group 3 node 0 priority 254
set chassis cluster redundancy-group 3 node 1 priority 2
set interfaces ge-0/0/1 gigether-options redundant-parent reth2
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces ge-3/0/1 gigether-options redundant-parent reth2
set interfaces reth2 description "RETH2 to Internet"
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 description "reth2.0 Internet Interface"
set interfaces reth2 unit 0 family inet sampling input
set interfaces reth2 unit 0 family inet sampling output
set interfaces reth2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth2 unit 0 family inet dhcp-client update-server
set interfaces vlan unit 11 description "VLAN unit 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN unit 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST description "UNTRUST towards Inet"
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services traceroute
set routing-instances LAN instance-type virtual-router
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.1
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 low 172.23.12.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 high 172.23.12.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.1
set routing-instances LAN interface reth2.0
set routing-instances LAN interface vlan.11
set routing-instances LAN interface vlan.12
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

IPSEC CONFIGURATION


 

set version 12.1X46-D65.4
set groups node0 system host-name srxC-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.26/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set groups node1 system host-name srxC-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.27/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set apply-groups "${node}"
set system time-zone Europe/Brussels
set system root-authentication encrypted-password ""
set system services ssh
set system services telnet
set system services xnm-clear-text
set chassis aggregated-devices ethernet device-count 1
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 254
set chassis cluster redundancy-group 0 node 1 priority 2
set chassis cluster redundancy-group 3 node 0 priority 254
set chassis cluster redundancy-group 3 node 1 priority 2
set interfaces ge-0/0/1 gigether-options redundant-parent reth2
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces ge-3/0/1 gigether-options redundant-parent reth2
set interfaces reth2 description "RETH2 to Internet"
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 description " ==== reth2.0 INTERNET INTERFACE ==== "
set interfaces reth2 unit 0 family inet sampling input
set interfaces reth2 unit 0 family inet sampling output
set interfaces reth2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth2 unit 0 family inet dhcp-client update-server
set interfaces st0 unit 2 description " ==== ASKAREL IPSEC TUNNEL  INTERFACE ==== "
set interfaces st0 unit 2 family inet sampling input
set interfaces st0 unit 2 family inet sampling output
set interfaces vlan unit 11 description " ==== VLAN unit 11 INTERFACE ==== "
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description " ==== VLAN unit 12 INTERFACE ==== "
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set security ike proposal phase1-ASKAREL description " ==== PHASE 1 ASKAREL PROPOSAL ==== "
set security ike proposal phase1-ASKAREL authentication-method pre-shared-keys
set security ike proposal phase1-ASKAREL dh-group group2
set security ike proposal phase1-ASKAREL authentication-algorithm sha-256
set security ike proposal phase1-ASKAREL encryption-algorithm aes-256-cbc
set security ike proposal phase1-ASKAREL lifetime-seconds 86400
set security ike policy phase1-pol-ASKAREL mode aggressive
set security ike policy phase1-pol-ASKAREL description " ==== PHASE 1 ASKAREL POLICY ==== "
set security ike policy phase1-pol-ASKAREL proposals phase1-ASKAREL
set security ike policy phase1-pol-ASKAREL pre-shared-key ascii-text ""
set security ike gateway gw-ASKAREL ike-policy phase1-pol-ASKAREL
set security ike gateway gw-ASKAREL dynamic inet 172.23.90.64
set security ike gateway gw-ASKAREL dead-peer-detection interval 30
set security ike gateway gw-ASKAREL dead-peer-detection threshold 5
set security ike gateway gw-ASKAREL local-identity inet 172.23.90.0
set security ike gateway gw-ASKAREL external-interface reth2.0
set security ike gateway gw-ASKAREL version v1-only
set security ipsec traceoptions flag all
set security ipsec traceoptions flag security-associations
set security ipsec traceoptions flag packet-drops
set security ipsec traceoptions flag packet-processing
set security ipsec proposal phase2-ASKAREL description " ==== PHASE 2 ASKAREL PROPOSAL ==== "
set security ipsec proposal phase2-ASKAREL protocol esp
set security ipsec proposal phase2-ASKAREL authentication-algorithm hmac-sha-256-128
set security ipsec proposal phase2-ASKAREL encryption-algorithm aes-256-cbc
set security ipsec proposal phase2-ASKAREL lifetime-seconds 3600
set security ipsec policy phase2-pol-ASKAREL description " ==== PHASE 2 ASKAREL POLICY ==== "
set security ipsec policy phase2-pol-ASKAREL perfect-forward-secrecy keys group2
set security ipsec policy phase2-pol-ASKAREL proposals phase2-ASKAREL
set security ipsec vpn to-ASKAREL bind-interface st0.2
set security ipsec vpn to-ASKAREL ike gateway gw-ASKAREL
set security ipsec vpn to-ASKAREL ike ipsec-policy phase2-pol-ASKAREL
set security ipsec vpn to-ASKAREL establish-tunnels immediately
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match source-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match destination-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match application junos-icmp-ping
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN then permit
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match source-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match destination-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match application junos-icmp-ping
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL then permit
set security zones security-zone TRUST description " ==== TRUST inside networks vlan 11 and vlan 12 ==== "
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST description " ==== UNTRUST towards Inet ==== "
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL description " ==== ASKAREL IPSEC  ==== "
set security zones security-zone ASKAREL host-inbound-traffic system-services ping
set security zones security-zone ASKAREL host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL interfaces st0.2
set routing-instances LAN description " ==== LAN ROUTING INSTANCE ==== "
set routing-instances LAN instance-type virtual-router
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.1
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 low 172.23.12.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 high 172.23.12.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.1
set routing-instances LAN interface reth2.0
set routing-instances LAN interface st0.2
set routing-instances LAN interface vlan.11
set routing-instances LAN interface vlan.12
set routing-instances LAN routing-options static route 192.168.5.0/24 next-hop st0.2
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

Redundant interface with LACP


 

step 1. Assign 2 enterfaces of each cluster member to reth1

{primary:node0}[edit]
root@srxC-1# set interfaces ge-0/0/3 gigether-options redundant-parent reth1

{primary:node0}[edit]
root@srxC-1# set interfaces ge-3/0/3 gigether-options redundant-parent reth1

{primary:node0}[edit]
root@srxC-1# set interfaces ge-0/0/4 gigether-options redundant-parent reth1

{primary:node0}[edit]
root@srxC-1# set interfaces ge-3/0/4 gigether-options redundant-parent reth1

step 2. set reth1 as trunk for all vlans

{primary:node0}[edit]
root@srxC-1# edit interfaces

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 0 family ethernet-switching port-mode trunk

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 0 family ethernet-switching vlan members all

step 3. Create redundancy group 2

{primary:node0}[edit]
root@srxC-1# set chassis cluster redundancy-group 2 node 0 priority 254

{primary:node0}[edit]
root@srxC-1# set chassis cluster redundancy-group 2 node 1 priority 2

Step 4. assign reth1 to rg-2

{primary:node0}[edit]
root@srxC-1# set interfaces reth1 redundant-ether-options redundancy-group 2

Step 5. Creating swfab0 and swfab1 interfaces

{primary:node0}[edit]
root@srxC-1# delete interfaces ge-0/0/2

{primary:node0}[edit]
root@srxC-1# set interfaces swfab0 fabric-options member-interfaces ge-0/0/2

{primary:node0}[edit]
root@srxC-1# set interfaces swfab1 fabric-options member-interfaces ge-3/0/2

{primary:node0}[edit]
root@srxC-1# commit

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21422&actp=METADATA

Before commiting

{primary:node0}[edit]
root@srxC-1# run show chassis cluster ethernet-switching status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  255      primary        no      yes      None
node1  2        secondary      no      yes      None

Redundancy group: 2 , Failover count: 1
node0  254      primary        no      no       None
node1  2        secondary      no      no       None

Redundancy group: 3 , Failover count: 1
node0  254      primary        no      no       None
node1  2        secondary      no      no       None

Ethernet switching status:
    Probe state is DOWN. Both nodes are in separate ethernet switching domain(s).

{primary:node0}[edit]
root@srxC-1# run show chassis cluster ethernet-switching interfaces
swfab0:
swfab1:

after commiting

{primary:node0}[edit]
root@srxC-1# run show chassis cluster ethernet-switching interfaces
swfab0:

    Name               Status
    ge-0/0/2           up
swfab1:

    Name               Status
    ge-3/0/2           up

{primary:node0}[edit]
root@srxC-1# run show chassis cluster ethernet-switching status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  255      primary        no      yes      None
node1  2        secondary      no      yes      None

Redundancy group: 2 , Failover count: 1
node0  254      primary        no      no       None
node1  2        secondary      no      no       None

Redundancy group: 3 , Failover count: 1
node0  254      primary        no      no       None
node1  2        secondary      no      no       None

Ethernet switching status:
    Probe state is UP. Both nodes are in single ethernet switching domain(s).

show lacp

{primary:node0}[edit]
root@srxC-1# run show lacp interfaces
warning: lacp subsystem not running - not needed by configuration.

{primary:node0}[edit]
root@srxC-1# set interfaces reth1 redundant-ether-options lacp passive

{primary:node0}[edit]
root@srxC-1# set interfaces reth1 redundant-ether-options lacp periodic slow

{primary:node0}[edit]
root@srxC-1# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]
root@srxC-1# run show lacp interfaces
Aggregated interface: reth1
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/3       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/0/3     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/4       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/0/4     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-3/0/3       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-3/0/3     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-3/0/4       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-3/0/4     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/0/3                  Current   Fast periodic Collecting distributing
      ge-0/0/4                  Current   Fast periodic Collecting distributing
      ge-3/0/3                  Current   Fast periodic Collecting distributing
      ge-3/0/4                  Current   Fast periodic Collecting distributing

On the switch

root@STOCKELA-SW-EX01# show | display set
set version 12.3R12.4
set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$219TEinH$Mnlr/utzhlMefCRNwkdDN0"
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set chassis aggregated-devices ethernet device-count 2
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/20 ether-options 802.3ad ae0
set interfaces ge-0/0/21 ether-options 802.3ad ae0
set interfaces ge-0/0/22 ether-options 802.3ad ae1
set interfaces ge-0/0/23 ether-options 802.3ad ae1
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces me0 unit 0 family inet address 10.128.10.249/24
set vlans v11 vlan-id 11
set vlans v12 vlan-id 12

{master:0}[edit]
root@STOCKELA-SW-EX01# set interfaces ae1 aggregated-ether-options lacp active

{master:0}[edit]
root@STOCKELA-SW-EX01# set interfaces ae1 unit 0 family ethernet-switching port-mode trunk

{master:0}[edit]
root@STOCKELA-SW-EX01# set interfaces ae1 unit 0 family ethernet-switching vlan members all

final on switch

master:0}[edit]
root@STOCKELA-SW-EX01# show | display set
set version 12.3R12.4
set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$219TEinH$Mnlr/utzhlMefCRNwkdDN0"
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set chassis aggregated-devices ethernet device-count 2
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/20 ether-options 802.3ad ae0
set interfaces ge-0/0/21 ether-options 802.3ad ae0
set interfaces ge-0/0/22 ether-options 802.3ad ae1
set interfaces ge-0/0/23 ether-options 802.3ad ae1
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
set interfaces ae1 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces me0 unit 0 family inet address 10.128.10.249/24
set vlans v11 vlan-id 11
set vlans v12 vlan-id 12

final on srx

{primary:node0}[edit]
root@srxC-1# show | display set
set version 12.1X46-D65.4
set groups node0 system host-name srxC-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.26/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set groups node1 system host-name srxC-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.27/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set apply-groups "${node}"
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$nExECCUH$4rWgERhjpKiRnCRWdw9Xf1"
set system services ssh
set system services telnet
set system services xnm-clear-text
set chassis aggregated-devices ethernet device-count 1
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 254
set chassis cluster redundancy-group 0 node 1 priority 2
set chassis cluster redundancy-group 3 node 0 priority 254
set chassis cluster redundancy-group 3 node 1 priority 2
set chassis cluster redundancy-group 2 node 0 priority 254
set chassis cluster redundancy-group 2 node 1 priority 2
set interfaces ge-0/0/1 gigether-options redundant-parent reth2
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/1 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 description " ==== reth1.0 TRUNK to SWITCH ==== "
set interfaces reth1 unit 0 family ethernet-switching port-mode trunk
set interfaces reth1 unit 0 family ethernet-switching vlan members all
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 description " ==== reth2.0 INTERNET INTERFACE ==== "
set interfaces reth2 unit 0 family inet sampling input
set interfaces reth2 unit 0 family inet sampling output
set interfaces reth2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth2 unit 0 family inet dhcp-client update-server
set interfaces st0 unit 2 description " ==== ASKAREL IPSEC TUNNEL  INTERFACE ==== "
set interfaces st0 unit 2 family inet sampling input
set interfaces st0 unit 2 family inet sampling output
set interfaces swfab0 fabric-options member-interfaces ge-0/0/2
set interfaces swfab1 fabric-options member-interfaces ge-3/0/2
set interfaces vlan unit 11 description " ==== VLAN unit 11 INTERFACE ==== "
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description " ==== VLAN unit 12 INTERFACE ==== "
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set security ike proposal phase1-ASKAREL description " ==== PHASE 1 ASKAREL PROPOSAL ==== "
set security ike proposal phase1-ASKAREL authentication-method pre-shared-keys
set security ike proposal phase1-ASKAREL dh-group group2
set security ike proposal phase1-ASKAREL authentication-algorithm sha-256
set security ike proposal phase1-ASKAREL encryption-algorithm aes-256-cbc
set security ike proposal phase1-ASKAREL lifetime-seconds 86400
set security ike policy phase1-pol-ASKAREL mode aggressive
set security ike policy phase1-pol-ASKAREL description " ==== PHASE 1 ASKAREL POLICY ==== "
set security ike policy phase1-pol-ASKAREL proposals phase1-ASKAREL
set security ike policy phase1-pol-ASKAREL pre-shared-key ascii-text "$9$TQ39AtOBIcP59p01yraZGi.5Qz6/Cumf39p0IRrevWLNVb2oZUev2aJU.mOBIcevx7VwYoKM7Vw2GU0B1hSl7Nb"
set security ike gateway gw-ASKAREL ike-policy phase1-pol-ASKAREL
set security ike gateway gw-ASKAREL dynamic inet 172.23.90.64
set security ike gateway gw-ASKAREL dead-peer-detection interval 30
set security ike gateway gw-ASKAREL dead-peer-detection threshold 5
set security ike gateway gw-ASKAREL local-identity inet 172.23.90.0
set security ike gateway gw-ASKAREL external-interface reth2.0
set security ike gateway gw-ASKAREL version v1-only
set security ipsec traceoptions flag all
set security ipsec traceoptions flag security-associations
set security ipsec traceoptions flag packet-drops
set security ipsec traceoptions flag packet-processing
deactivate security ipsec traceoptions
set security ipsec proposal phase2-ASKAREL description " ==== PHASE 2 ASKAREL PROPOSAL ==== "
set security ipsec proposal phase2-ASKAREL protocol esp
set security ipsec proposal phase2-ASKAREL authentication-algorithm hmac-sha-256-128
set security ipsec proposal phase2-ASKAREL encryption-algorithm aes-256-cbc
set security ipsec proposal phase2-ASKAREL lifetime-seconds 3600
set security ipsec policy phase2-pol-ASKAREL description " ==== PHASE 2 ASKAREL POLICY ==== "
set security ipsec policy phase2-pol-ASKAREL perfect-forward-secrecy keys group2
set security ipsec policy phase2-pol-ASKAREL proposals phase2-ASKAREL
set security ipsec vpn to-ASKAREL bind-interface st0.2
set security ipsec vpn to-ASKAREL ike gateway gw-ASKAREL
set security ipsec vpn to-ASKAREL ike ipsec-policy phase2-pol-ASKAREL
set security ipsec vpn to-ASKAREL establish-tunnels immediately
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match source-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match destination-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match application junos-icmp-ping
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN then permit
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match source-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match destination-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match application junos-icmp-ping
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL then permit
set security zones security-zone TRUST description " ==== TRUST inside networks vlan 11 and vlan 12 ==== "
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST description " ==== UNTRUST towards Inet ==== "
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL description " ==== ASKAREL IPSEC  ==== "
set security zones security-zone ASKAREL host-inbound-traffic system-services ping
set security zones security-zone ASKAREL host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL interfaces st0.2
set routing-instances LAN description " ==== LAN ROUTING INSTANCE ==== "
set routing-instances LAN instance-type virtual-router
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.1
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 low 172.23.12.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 high 172.23.12.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.1
set routing-instances LAN interface reth2.0
set routing-instances LAN interface st0.2
set routing-instances LAN interface vlan.11
set routing-instances LAN interface vlan.12
set routing-instances LAN routing-options static route 192.168.5.0/24 next-hop st0.2
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

Creating redundant interface towards oldnet: vlans 200 & 300

1: set interface ge-0/0/0 and ge-3/0/0 into reth0

set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-3/0/0 gigether-options redundant-parent reth0

2: Create redundancy group 1, and assign priorities for node 0 and node 1

set chassis cluster redundancy-group 1 node 0 priority 254
set chassis cluster redundancy-group 1 node 1 priority 2

3: Define interface reth0 and assign to redundancy group 1

set interfaces reth0 description "          ==== reth0  to OLDNET ==== "
set interfaces reth0 redundant-ether-options redundancy-group 1

4: Create allow vlan taggin on reth0 and create VLANS

set interfaces reth0 vlan-tagging

5: Create Routed VLAN interfaces for each remote VLAN on reth0

set interfaces reth0 unit 200 vlan-id 200
set interfaces reth0 unit 200 description " ==== VLAN unit 200 PROD reth0.200 INTERFACE ==== "
set interfaces reth0 unit 200 family inet address 192.168.12.3/24
set interfaces reth0 unit 300 vlan-id 300
set interfaces reth0 unit 300 description " ==== VLAN unit 300 TEST reth0.300 INTERFACE ==== "
set interfaces reth0 unit 300 family inet address 10.128.10.3/24

7: Associate interfaces to the main routing instance: LAN

set routing-instances LAN interface reth0.200
set routing-instances LAN interface reth0.300

8: Create security Zones: Create Security Zone OLDNET, assign RVI interfaces.

set security zones security-zone OLDNET description " ==== SECURITY ZONE: OLDNET ==== "
set security zones security-zone OLDNET interfaces reth0.200 host-inbound-traffic system-services ping
set security zones security-zone OLDNET interfaces reth0.200 host-inbound-traffic system-services traceroute
set security zones security-zone OLDNET interfaces reth0.300 host-inbound-traffic system-services ping
set security zones security-zone OLDNET interfaces reth0.300 host-inbound-traffic system-services traceroute

9: Create Security Policies: Allow ping from TRUST to OLDNET and vice versa

set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match source-address any
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match destination-address any
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match application junos-icmp-ping
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET then permit

set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match source-address any
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match destination-address any
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match application junos-icmp-ping
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST then permit

FINAL

set version 12.1X46-D65.4
set groups node0 system host-name srxC-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.26/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set groups node1 system host-name srxC-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.27/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.12.28/24 master-only
set apply-groups "${node}"
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$"
set system services ssh
set system services telnet
set system services xnm-clear-text
set chassis aggregated-devices ethernet device-count 1
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 254
set chassis cluster redundancy-group 0 node 1 priority 2
set chassis cluster redundancy-group 3 node 0 priority 254
set chassis cluster redundancy-group 3 node 1 priority 2
set chassis cluster redundancy-group 2 node 0 priority 254
set chassis cluster redundancy-group 2 node 1 priority 2
set chassis cluster redundancy-group 1 node 0 priority 254
set chassis cluster redundancy-group 1 node 1 priority 2
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth2
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/0 gigether-options redundant-parent reth0
set interfaces ge-3/0/1 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth0 description "          ==== reth0  to OLDNET ==== "
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 200 description " ==== VLAN unit 200 PROD reth0.200 INTERFACE ==== "
set interfaces reth0 unit 200 vlan-id 200
set interfaces reth0 unit 200 family inet address 192.168.12.3/24
set interfaces reth0 unit 300 description " ==== VLAN unit 300 TEST reth0.300 INTERFACE ==== "
set interfaces reth0 unit 300 vlan-id 300
set interfaces reth0 unit 300 family inet address 10.128.10.3/24
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 description " ==== reth1.0 TRUNK to SWITCH ==== "
set interfaces reth1 unit 0 family ethernet-switching port-mode trunk
set interfaces reth1 unit 0 family ethernet-switching vlan members all
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 description " ==== reth2.0 INTERNET INTERFACE ==== "
set interfaces reth2 unit 0 family inet sampling input
set interfaces reth2 unit 0 family inet sampling output
set interfaces reth2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth2 unit 0 family inet dhcp-client update-server
set interfaces st0 unit 2 description " ==== ASKAREL IPSEC TUNNEL  INTERFACE ==== "
set interfaces st0 unit 2 family inet sampling input
set interfaces st0 unit 2 family inet sampling output
set interfaces swfab0 fabric-options member-interfaces ge-0/0/2
set interfaces swfab1 fabric-options member-interfaces ge-3/0/2
set interfaces vlan unit 11 description " ==== VLAN unit 11 INTERFACE ==== "
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description " ==== VLAN unit 12 INTERFACE ==== "
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set security ike proposal phase1-ASKAREL description " ==== PHASE 1 ASKAREL PROPOSAL ==== "
set security ike proposal phase1-ASKAREL authentication-method pre-shared-keys
set security ike proposal phase1-ASKAREL dh-group group2
set security ike proposal phase1-ASKAREL authentication-algorithm sha-256
set security ike proposal phase1-ASKAREL encryption-algorithm aes-256-cbc
set security ike proposal phase1-ASKAREL lifetime-seconds 86400
set security ike policy phase1-pol-ASKAREL mode aggressive
set security ike policy phase1-pol-ASKAREL description " ==== PHASE 1 ASKAREL POLICY ==== "
set security ike policy phase1-pol-ASKAREL proposals phase1-ASKAREL
set security ike policy phase1-pol-ASKAREL pre-shared-key ascii-text "$9$"
set security ike gateway gw-ASKAREL ike-policy phase1-pol-ASKAREL
set security ike gateway gw-ASKAREL dynamic inet 172.23.90.64
set security ike gateway gw-ASKAREL dead-peer-detection interval 30
set security ike gateway gw-ASKAREL dead-peer-detection threshold 5
set security ike gateway gw-ASKAREL local-identity inet 172.23.90.0
set security ike gateway gw-ASKAREL external-interface reth2.0
set security ike gateway gw-ASKAREL version v1-only
set security ipsec traceoptions flag all
set security ipsec traceoptions flag security-associations
set security ipsec traceoptions flag packet-drops
set security ipsec traceoptions flag packet-processing
deactivate security ipsec traceoptions
set security ipsec proposal phase2-ASKAREL description " ==== PHASE 2 ASKAREL PROPOSAL ==== "
set security ipsec proposal phase2-ASKAREL protocol esp
set security ipsec proposal phase2-ASKAREL authentication-algorithm hmac-sha-256-128
set security ipsec proposal phase2-ASKAREL encryption-algorithm aes-256-cbc
set security ipsec proposal phase2-ASKAREL lifetime-seconds 3600
set security ipsec policy phase2-pol-ASKAREL description " ==== PHASE 2 ASKAREL POLICY ==== "
set security ipsec policy phase2-pol-ASKAREL perfect-forward-secrecy keys group2
set security ipsec policy phase2-pol-ASKAREL proposals phase2-ASKAREL
set security ipsec vpn to-ASKAREL bind-interface st0.2
set security ipsec vpn to-ASKAREL ike gateway gw-ASKAREL
set security ipsec vpn to-ASKAREL ike ipsec-policy phase2-pol-ASKAREL
set security ipsec vpn to-ASKAREL establish-tunnels immediately
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match source-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match destination-address any
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN match application junos-icmp-ping
set security policies from-zone ASKAREL to-zone TRUST policy ICMP_ASKAREL_TRUST_IN then permit
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match source-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match destination-address any
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL match application junos-icmp-ping
set security policies from-zone TRUST to-zone ASKAREL policy ICMP_TRUST_ASKAREL then permit
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match source-address any
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match destination-address any
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET match application junos-icmp-ping
set security policies from-zone TRUST to-zone OLDNET policy ICMP_TRUST_TO_OLDNET then permit
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match source-address any
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match destination-address any
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST match application junos-icmp-ping
set security policies from-zone OLDNET to-zone TRUST policy ICMP_OLDNET_TO_TRUST then permit
set security zones security-zone TRUST description " ==== TRUST inside networks vlan 11 and vlan 12 ==== "
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST description " ==== UNTRUST towards Inet ==== "
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces reth2.0 host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL description " ==== ASKAREL IPSEC  ==== "
set security zones security-zone ASKAREL host-inbound-traffic system-services ping
set security zones security-zone ASKAREL host-inbound-traffic system-services traceroute
set security zones security-zone ASKAREL interfaces st0.2
set security zones security-zone OLDNET description " ==== SECURITY ZONE: OLDNET ==== "
set security zones security-zone OLDNET interfaces reth0.200 host-inbound-traffic system-services ping
set security zones security-zone OLDNET interfaces reth0.300 host-inbound-traffic system-services ping
set routing-instances LAN description " ==== LAN ROUTING INSTANCE ==== "
set routing-instances LAN instance-type virtual-router
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set routing-instances LAN system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.1
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 low 172.23.12.100
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN12 high 172.23.12.200
set routing-instances LAN access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.1
set routing-instances LAN interface reth0.200
set routing-instances LAN interface reth0.300
set routing-instances LAN interface reth2.0
set routing-instances LAN interface st0.2
set routing-instances LAN interface vlan.11
set routing-instances LAN interface vlan.12
set routing-instances LAN routing-options static route 192.168.5.0/24 next-hop st0.2
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

{primary:node0}[edit]
root@srxC-1#

References


 

[draft 0.2] Junos Enterprise switching LAB 7: Implementing a Virtual Chassis

image_pdfimage_print

LAB 7 Implementing Virtual Chassis Systems.


this lab includes:

  • Forming a Virtual Chassis
  • Modifify configuration and verify operations for new environment
  • restore a Virtual Chassis system to standalone switches.

 

 

Part 1: Forming a Virtual Chassis


step 1.1 go to edit mode and enter into [virtual-chassis]

{master:0}[edit]
root@STOCKELA-SW-EX01# edit virtual-chassis

step 1.2 run show virtual-chassis status command

{master:0}[edit virtual-chassis]
root@STOCKELA-SW-EX01# run show virtual-chassis status

Virtual Chassis ID: 5464.4583.c90b
Virtual Chassis Mode: Enabled
                                           Mstr           Mixed Neighbor List
Member ID  Status   Serial No    Model     prio  Role      Mode ID  Interface
0 (FPC 0)  Prsnt    CV0212151670 ex2200-24p-4g 128 Master*   NA

Member ID for next new member: 1 (FPC 1)

what is the current member ID mastership priority, ad role assigned to EX-1?

what member id will get a new member as a backup?

 

step 1.3 configure a mastership priority of 255. Next, activate the configuration change and return to operational mode.

{master:0}[edit virtual-chassis]
root@STOCKELA-SW-EX01# set member 0 mastership-priority 255

{master:0}[edit virtual-chassis]
root@STOCKELA-SW-EX01# show
member 0 {
    mastership-priority 255;
}

{master:0}[edit virtual-chassis]
root@STOCKELA-SW-EX01# commit and-quit
configuration check succeeds
commit complete
Exiting configuration mode

{master:0}
root@STOCKELA-SW-EX01>

step 1.4 run “show virtual chassis status” again

{master:0}
root@STOCKELA-SW-EX01> show virtual-chassis status

Virtual Chassis ID: 5464.4583.c90b
Virtual Chassis Mode: Enabled
                                           Mstr           Mixed Neighbor List
Member ID  Status   Serial No    Model     prio  Role      Mode ID  Interface
0 (FPC 0)  Prsnt    CV0212151670 ex2200-24p-4g 255 Master*   NA

Member ID for next new member: 1 (FPC 1)

What is the current mastership priority assigned to EX-1 device?

 

step 1.5 run “show virtual-chassis vc-port” command

{master:0}
root@STOCKELA-SW-EX01> request virtual-chassis vc-port set pic-slot 0 port 0

{master:0}
root@STOCKELA-SW-EX01> request virtual-chassis vc-port set pic-slot 0 port 1

{master:0}
root@STOCKELA-SW-EX01> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/0         Configured         -1    Up           1000
0/1         Configured         -1    Up           1000

What is the current status of the dedicated VCP?

 

step 1.6 Enable the dedicated VCPs. Issue the “show virtual-chassis vc-port” command

request virtual-chassis vc-port set interface vcp-0
request virtual chassis vc-port set interface vcp-1
show virtual-chassis vc-port

What is the current status of the dedicated VCPs?

 

step 1.7 go to EX-2 and run “show virtual-chassis vc-port” command

{master:0}
root@STOCKELB-SW-EX02> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------

{master:0}
root@STOCKELB-SW-EX02> request virtual-chassis vc-port set pic-slot 0 port 0

{master:0}
root@STOCKELB-SW-EX02> request virtual-chassis vc-port set pic-slot 0 port 1

{master:0}
root@STOCKELB-SW-EX02> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/0         Configured         -1    Up           1000         0   vcp-255/0/0
0/1         Configured         -1    Down         1000
error: Could not connect to fpc1 : Can't assign requested address

what is the status of the dedicated VCP?

 

step 1.8 Issue command “request virtual-chassis vc-port set interface vcp-0”

 
request virtual-chassis vc-port set interface vcp-0

step 1.9 login

l

step 1.10 Issue the “show virtual-chasis status” command

qazwsxs-MBP-2:~ qazwsxedcrfv$ ssh root@192.168.12.21
root@192.168.12.21's password:
Permission denied, please try again.
root@192.168.12.21's password:
pam_unix: pam_sm_authenticate: UNIX authentication refused

--- JUNOS 12.3R12.4 built 2016-01-20 04:27:03 UTC
root@STOCKELA-SW-EX01:BK:1%
root@STOCKELA-SW-EX01:BK:1%
root@STOCKELA-SW-EX01:BK:1%
root@STOCKELA-SW-EX01:BK:1% cli
warning: This chassis is operating in a non-master role as part of a virtual-chassis (VC) system.
warning: Use of interactive commands should be limited to debugging and VC Port operations.
warning: Full CLI access is provided by the Virtual Chassis Master (VC-M) chassis.
warning: The VC-M can be identified through the show virtual-chassis status command executed at this console.
warning: Please logout and log into the VC-M to use CLI.
{backup:1}
root@STOCKELA-SW-EX01> show virtual-chassis status

Virtual Chassis ID: 5464.4583.c90b
Virtual Chassis Mode: Enabled
                                           Mstr           Mixed Neighbor List
Member ID  Status   Serial No    Model     prio  Role      Mode ID  Interface
0 (FPC 0)  Prsnt    CV0212151670 ex2200-24p-4g 255 Master    NA  1  vcp-255/0/0
                                                                 1  vcp-255/0/1
1 (FPC 1)  Prsnt    CV0212141318 ex2200-24p-4g 128 Backup*   NA  0  vcp-255/0/0
                                                                 0  vcp-255/0/1

what is the member ID, mastership priority, and role assigned to the newly added member switch?

 

step 1.11 issue command  “show virtual-chassis vc-port”

show virtual-chasis vc-port

What is the status of the dedicated VCPs?

 

step 1.12 request virtual-chassis vc-port set interface member 1 vcp-1

show virtual-chassis vc-port

What is the status of the vcp-1 port?

 

PART 2: Modifying Configuration and Verifying Operation for New Environment.


 

 

Step 2.1 Return to the session on SRX-1, enter configuration mode, and go to [edit interfaces]

on SRX

root@STOCKELA-FW-SRXC-1> configure
Entering configuration mode

[edit]
root@STOCKELA-FW-SRXC-1# edit interfaces

[edit interfaces]
root@STOCKELA-FW-SRXC-1#

step 2.2 Convert fe-0/0/6 trunk port into a member for ae0 aggregated Ethernet interface.

on SRX

 
[edit interfaces]
root@STOCKELA-FW-SRXC-1# show fe-0/0/6
unit 0 {
    description "fe-0/0/6 TRUNK TO PARTNER SWITCH";
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

[edit interfaces]
root@STOCKELA-FW-SRXC-1# delete fe-0/0/6

[edit interfaces]
root@STOCKELA-FW-SRXC-1# copy fe-0/0/5 to fe-0/0/6

[edit interfaces]
root@STOCKELA-FW-SRXC-1# show fe-0/0/6
fastether-options {
    802.3ad ae0;
}

Step 2.3 Activate the configuration changes and return to operational mode. Issue the show interfaces ae0.0 extensive to verify ge-0/0/10 is now participating as a link member on ae0.

on SRX

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit and-quit
commit complete
Exiting configuration mode

root@STOCKELA-FW-SRXC-1> show interfaces ae0.0 extensive
  Logical interface ae0.0 (Index 69) (SNMP ifIndex 563) (Generation 134)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :       1384360          3     173819883         3072
        Output:       2072090          5     208931534         4608
    Link:
      fe-0/0/4.0
        Input :        680402          1      86037371         1024
        Output:       1367591          3     128520520         2560
      fe-0/0/5.0
        Input :        696907          2      87193772         2048
        Output:        551534          1      70600196         1024
      fe-0/0/6.0
        Input :          7051          0        588740            0
        Output:        152965          1       9810818         1024
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      fe-0/0/4.0     Actor        127  3c:61:04:d8:2e:40       127       1     1
      fe-0/0/4.0   Partner        127  a8:d0:e5:b8:86:c0       127       2     1
      fe-0/0/5.0     Actor        127  3c:61:04:d8:2e:40       127       2     1
      fe-0/0/5.0   Partner        127  a8:d0:e5:b8:86:c0       127       1     1
      fe-0/0/6.0     Actor        127  3c:61:04:d8:2e:40       127       3     1
      fe-0/0/6.0   Partner          0  00:00:00:00:00:00         0       0     0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      fe-0/0/4.0            550648      551231            0            0
      fe-0/0/5.0            550650      551231            0            0
      fe-0/0/6.0                 0          12            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      fe-0/0/4.0                 0           0            0            0
      fe-0/0/5.0                 0           0            0            0
      fe-0/0/6.0                 0           0            0            0
    Security: Zone: Null
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol eth-switch, MTU: 0, Generation: 147, Route table: 0
      Flags: Is-Primary, Trunk-Mode

root@STOCKELA-FW-SRXC-1>

step 2.4 config the same task performed on SRX-1 on SRX-2

on SRX

root@STOCKELB-FW-SRXC-2> configure
Entering configuration mode

[edit]
root@STOCKELB-FW-SRXC-2# edit interfaces

[edit interfaces]
root@STOCKELB-FW-SRXC-2# show fe-0/0/6
unit 0 {
    description "fe-0/0/6 TRUNK TO PARTNER SWITCH";
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

[edit interfaces]
root@STOCKELB-FW-SRXC-2# delete fe-0/0/6

[edit interfaces]
root@STOCKELB-FW-SRXC-2# copy fe-0/0/5 to fe-0/0/6

[edit interfaces]
root@STOCKELB-FW-SRXC-2# show fe-0/0/6
fastether-options {
    802.3ad ae0;
}

[edit interfaces]
root@STOCKELB-FW-SRXC-2# commit and-quit
commit complete
Exiting configuration mode

root@STOCKELB-FW-SRXC-2> show interfaces ae0.0 extensive
  Logical interface ae0.0 (Index 69) (SNMP ifIndex 559) (Generation 134)
    Flags: Hardware-Down Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :          9411          0       1218636            0
        Output:         44831          3       4913933         3072
    Link:
      fe-0/0/4.0
        Input :          4651          0        595072            0
        Output:         20672          1       2354649         1024
      fe-0/0/5.0
        Input :          4668          0        596256            0
        Output:         15861          1       2025554         1024
      fe-0/0/6.0
        Input :            92          0         27308            0
        Output:          8298          1        533730         1024
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      fe-0/0/4.0     Actor        127  3c:8a:b0:2e:d8:c0       127       1     1
      fe-0/0/4.0   Partner          1  00:00:00:00:00:00         1       1     1
      fe-0/0/5.0     Actor        127  3c:8a:b0:2e:d8:c0       127       2     1
      fe-0/0/5.0   Partner          1  00:00:00:00:00:00         1       2     1
      fe-0/0/6.0     Actor        127  3c:8a:b0:2e:d8:c0       127       3     1
      fe-0/0/6.0   Partner          0  00:00:00:00:00:00         0       0     0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      fe-0/0/4.0              4645       15776            0            0
      fe-0/0/5.0              4645       15777            0            0
      fe-0/0/6.0                 0          26            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      fe-0/0/4.0                 0           0            0            0
      fe-0/0/5.0                 0           0            0            0
      fe-0/0/6.0                 0           0            0            0
    Security: Zone: Null
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol eth-switch, MTU: 0, Generation: 147, Route table: 0
      Flags: Is-Primary, Trunk-Mode

root@STOCKELB-FW-SRXC-2>

step 2.5 Return to EX-1. And go to [edit chassis]

{master:0}
root@STOCKELA-SW-EX01> configure
Entering configuration mode

{master:0}[edit]
root@STOCKELA-SW-EX01# edit chassis

{master:0}[edit chassis]
root@STOCKELA-SW-EX01#

step 2.6 Create ae1 Ethernet device by increasing aggregated-device count to 2

{master:0}[edit chassis]
root@STOCKELA-SW-EX01# show
aggregated-devices {
    ethernet {
        device-count 1;
    }
}

{master:0}[edit chassis]
root@STOCKELA-SW-EX01# set aggregated-devices ethernet device-count 2

{master:0}[edit chassis]
root@STOCKELA-SW-EX01# commit

Step 2.7 “run show interfaces terse ae1” command

root@STOCKELA-SW-EX01# run show interfaces terse ae1
Interface               Admin Link Proto    Local                 Remote
ae1                     up    down

{master:0}[edit chassis]
root@STOCKELA-SW-EX01#

step 2.8 go to [edit interfaces], configure ae1 interface for L2 operations as a trunk. Enable LACP active mode for ae1 interface.

{master:0}[edit chassis]
root@STOCKELA-SW-EX01# top edit interfaces

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ae1 unit 0 family ethernet-switching port-mode trunk

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ae1 unit 0 family ethernet-switching vlan members all

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ae1 aggregated-ether-options lacp active

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01#

step 2.9 Configure ge-X-X-X and ge-X/X/X and ge-0/0/10 interfaces as member links

set ge-1/0/8 ether-options 802.3ad ae1
set ge-1/0/9 ether-options 802.3ad ae1
delete ge-0/0/10
set ge-0/0/10 ether-options 802.3ad ae1

step 2.10 Issue “top deactivate ethernet-switching-options redundant-trunk-group” to deactivate the defined redundant trunk group.

1

step 2.11 Activate the conifguration changes and issue the “run show interfaces terse| match ae1” to determine ae1 status and participating member links.

run show interfaces terse| match all

step 2.12 Configure ge-1/0/10 as member for ae0 aggregated bundle.

copy ge-0/0/9 to ge-1/0/10
show ge-1/0/10

show 2.13 Activate the configuration change and issue “run interfaces terse match ae0” to determine the state of the ae0 interface and its participating member links.

1

commit

run show interfaces terse | match ae0

step 2.14 Configure the ge-1/0/6 and ge-1/0/7 interfaces as L2 access port for their respective VLANS. Refer to network diagram.

set ge-1/0/6 unit 0 family ethernet-switching port-mode access
set ge-1/0/6 unit 0 family ethernet-switching vlan members v21
set ge-1/0/7 unit 0 family ethernet-switching port-mode access
set ge-1/0/7 unit 0 family ethernet-switching vlan members v22

show ge-1/0/6
show ge-1/0/7

Step 2.15 Configure the Layer3 VLAN interfaces vlan.21 and vlan.22.

set vlan unit 21 family inet address 172.23.21.1/24
set vlan unit 22 family inet address 172.23.22.1/24
show vlan

step 2.16

rename me0 to vme
show vme
commit

step 2.17

run show interfaces terse

step 2.18

top edit vlans
set v21 l3-interface vlan.21
set v22 l3-interface vlan22
commit
run show interfaces terse vlan

step 2.19

top edit protocols
show
activate rstp
show
commit and-quit

PART 3: Restoring the standalone Switches


 

step 3.1 
request virtual-chassis vc-port set interface vcp-0 disable
show virtual-chassis vc-port

request virtual-chassis vc-port set interface vcp-0 disable member 1
show virtual-chassis vc-port

step 3.2

request virtual-chassis vc-port set inetrface vcp-1 disable member 1

step 3.3 configure

load oveeride /var/tmp/reset.config


commit and-quit

step 3.4

show virtual-chassis status

step 3.5

request virtual-chassis recycle member -id 0
request virtual-chassis member member-id 1 new member-id 0

yes

step 3.5

show virtual*chassis status

step 3.7

show virtual*chassis status

step 3.8

request cirtual-chasssis reactivate
yes


show virtual-chassis status

step 3.9

show virtual-chassis vc-port

step 3.10

request virtual-chassis vc-port set interface vcp-1 disable
show virtual-chassis vc-port

step 3.11

oonfigure
load ovverride /var/tmp/reset.config
commit and-quit

step 3.12

configre
load override /var/tmp/reset.config
commit and-quit
configure

load override /var/tmp/reset.config

commit and quit

delete virtual chassis alternate method

{master:0}[edit]
root@STOCKELA-SW-EX01# delete virtual-chassis

{master:0}[edit]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
fpc1:
commit complete
commit complete

{master:0}[edit]
root@STOCKELA-SW-EX01#

{master:0}[edit]
root@STOCKELA-SW-EX01# exit
Exiting configuration mode

{master:0}
root@STOCKELA-SW-EX01> exit

root@STOCKELA-SW-EX01:RE:0% cd /config/vchassis/
root@STOCKELA-SW-EX01:RE:0% ls
vc.db                   vc.tlv.db               vc.tlv.db.1             vclocal.conf.tlv        vclocal.conf.tlv.1
vc.param                vc.tlv.db.0             vclocal.conf            vclocal.conf.tlv.0
root@STOCKELA-SW-EX01:RE:0% rm *.*
root@STOCKELA-SW-EX01:RE:0% cli

{master:0}
root@STOCKELA-SW-EX01> request system reboot
Reboot the system ? [yes,no] (no) yes


Rebooting fpc1
Shutdown at Sat Sep  9 23:07:17 2017.
[pid 2334]

{master:0}
root@STOCKELA-SW-EX01>
*** System shutdown message from root@STOCKELA-SW-EX01 ***

System going down in 1 minute

Change temporarly iP address for EX01 and hostname
{master:0}[edit]
root@STOCKELA-SW-EX01# set system host-name STOCKELA-SW-EX01-TMP

{master:0}[edit]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

{master:0}[edit]
root@STOCKELA-SW-EX01-TMP# delete interfaces me0 unit 0 family inet address 192.168.12.21/24

{master:0}[edit]
root@STOCKELA-SW-EX01-TMP# set interfaces me0 unit 0 family inet address 192.168.12.29/24

{master:0}[edit]
root@STOCKELA-SW-EX01-TMP# commit
configuration check succeeds
commit complete

Initial config

switch 1

set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 ether-options speed 100m
set interfaces ge-0/0/8 ether-options 802.3ad ae0
set interfaces ge-0/0/9 ether-options speed 100m
set interfaces ge-0/0/9 ether-options 802.3ad ae0
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members all
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
deactivate protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set ethernet-switching-options secure-access-port interface ge-0/0/6.0 allowed-mac 00:25:31:04:9b:f4
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit action shutdown
set ethernet-switching-options secure-access-port interface ge-0/0/8.0 dhcp-trusted
deactivate ethernet-switching-options secure-access-port interface ge-0/0/8.0
set ethernet-switching-options mac-table-aging-time 1000
set ethernet-switching-options redundant-trunk-group group rtg-1 interface ge-0/0/10.0
set ethernet-switching-options redundant-trunk-group group rtg-1 interface ae0.0 primary
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

[DRAFT 0.1] JUNOS ENTERPRISE SWITCHING Lab 4: Implementing Port Security

image_pdfimage_print

Lab 4 implementing Port Security


Part 1


step 1.1

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# show
interface ge-0/0/9.0 {
    edge;
}
bpdu-block-on-edge;

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# delete
Delete everything under this level? [yes,no] (no) yes

step 1.2

root@STOCKELA-SW-EX01# top edit interfaces

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# delete ge-0/0/1

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# delete ge-0/0/9

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# delete ge-0/0/10

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# show
ge-0/0/4 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members v11;
            }
        }
    }
}
ge-0/0/6 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members v11;
            }
        }
    }
}
ge-0/0/7 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members v12;
            }
        }
    }
}
ge-0/0/8 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members all;
            }
        }
    }
}
me0 {
    unit 0 {
        family inet {
            address 192.168.12.21/24;
        }
    }
}
vlan {
    unit 11 {
        description "VLAN 11";
        family inet {
            address 172.23.11.1/24;
        }
    }
    unit 12 {
        description "VLAN 12";
        family inet {
            address 172.23.12.1/24;
        }
    }
}

step 1.3

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# top edit ethernet-switching-options

{master:0}[edit ethernet-switching-options]
root@STOCKELA-SW-EX01# set mac-table-aging-time 1000

{master:0}[edit ethernet-switching-options]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

{master:0}[edit ethernet-switching-options]
root@STOCKELA-SW-EX01#

step 1.4

[edit]
root@STOCKELA-FW-SRXC-1# edit interfaces

step 1.5

[edit interfaces]
root@STOCKELA-FW-SRXC-1# deactivate fe-0/0/1

[edit interfaces]
root@STOCKELA-FW-SRXC-1# deactivate fe-0/0/2

[edit interfaces]
root@STOCKELA-FW-SRXC-1# deactivate fe-0/0/6

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit and-quit

step 1.6

root@STOCKELA-FW-SRXC-1> show dhcp server binding

IP address        Session Id  Hardware address   Expires     State      Interface
172.23.12.100     8           00:1a:70:9d:d5:f6  66626       BOUND      vlan.12
172.23.11.102     4           00:25:31:04:9b:f4  101877      BOUND      vlan.11
172.23.11.103     5           00:26:b9:e9:34:95  266065      BOUND      vlan.11
172.23.11.101     3           38:c9:86:51:fb:ec  101522      BOUND      vlan.11

root@STOCKELA-FW-SRXC-1> ping 172.23.12.100
PING 172.23.12.100 (172.23.12.100): 56 data bytes
64 bytes from 172.23.12.100: icmp_seq=0 ttl=64 time=4.574 ms
64 bytes from 172.23.12.100: icmp_seq=1 ttl=64 time=2.644 ms
^C
--- 172.23.12.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.644/3.609/4.574/0.965 ms

root@STOCKELA-FW-SRXC-1> ping 172.23.11.102
PING 172.23.11.102 (172.23.11.102): 56 data bytes
64 bytes from 172.23.11.102: icmp_seq=0 ttl=64 time=7.085 ms
64 bytes from 172.23.11.102: icmp_seq=1 ttl=64 time=2.370 ms
^C
--- 172.23.11.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.370/4.728/7.085/2.357 ms

Part 2: Configuring and monitoring MAC limiting


 

step 2.1

root@STOCKELA-SW-EX01# run show ethernet-switching table
Ethernet-switching table: 10 entries, 4 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  v11               *                 Flood          - All-members
  v11               00:25:31:04:9b:f4 Learn          0 ge-0/0/6.0
  v11               3c:61:04:d8:2e:08 Learn          0 ge-0/0/8.0
  v11               a8:d0:e5:b8:86:c1 Static         - Router
  v12               *                 Flood          - All-members
  v12               00:1a:70:9d:d5:f6 Learn       2:28 ge-0/0/7.0
  v12               3c:61:04:d8:2e:08 Learn       2:15 ge-0/0/8.0
  v12               a8:d0:e5:b8:86:c1 Static         - Router
  v21               *                 Flood          - All-members
  v22               *                 Flood          - All-members

root@STOCKELB-SW-EX02> show ethernet-switching table
Ethernet-switching table: 10 entries, 4 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  v21               *                 Flood          - All-members
  v21               00:14:bf:70:24:5c Learn          0 ge-0/0/6.0
  v21               3c:8a:b0:2e:d8:88 Learn          0 ge-0/0/8.0
  v21               a8:d0:e5:b5:3f:c1 Static         - Router
  v22               *                 Flood          - All-members
  v22               00:1d:7e:b4:3d:90 Learn          0 ge-0/0/7.0
  v22               3c:8a:b0:2e:d8:88 Learn          0 ge-0/0/8.0
  v22               a8:d0:e5:b5:3f:c1 Static         - Router
  v11               *                 Flood          - All-members
  v12               *                 Flood          - All-members


step 2.2

{master:0}[edit ethernet-switching-options]
root@STOCKELA-SW-EX01# edit secure-access-port

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# set interface ge-0/0/6.0 allowed-mac 00:25:31:04:9b:f4

step 2.3

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# set interface ge-0/0/7.0 mac-limit 1 action ?
Possible completions:
  drop                 Drop the packet and log it
  log                  Log a message
  none                 Take no action
  shutdown             Shut down the interface
{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# set interface ge-0/0/7.0 mac-limit 1 action shutdown

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# show
interface ge-0/0/6.0 {
    allowed-mac 00:25:31:04:9b:f4;
}
interface ge-0/0/7.0 {
    mac-limit 1 action shutdown;
}

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# commit and-quit
configuration check succeeds

Step 2.4

ping 172.23.11.100 rapid count 10

ping 172.23.12.100 rapid count 10

step 2.5 configure 
edit interfaces

step 2.6

show ge-0/0/6
show ge-0/0/7

set ge-0/0/6 mac 00:26:88:02:11:68
set ge-0/0/7 mac 00:26:88:02:11:78

show ge-0/0/6
show ge-0/0/7
commit

Step 2.7

run ping 172.23.11.100 rapid count 10
run ping 172.23.21.100 rapid count 10

Step 2.8 show ethernet-switching interfaces

s

step 2.9

clear ethernet-switching-port error interface ge-0/0/7.0

step 2.10

show ethrenet-switching interfaces

step 2.11

top
show | compare rollback 1 
rollaback  commit and-quit

Step 2.12

ping 172.23.11.100 rapid count 10
ping 172.23.12.100 rapid count 10

Part 3 configuring and monitoring dhcp snooping and IP source Guard


 

Step 3.1 configure

edit ethernet-switching -options secure-access-port

Step 3.2

set interface ge-0/0/6.0 no-dhcp-trusted
set interface ge-0/0/7.0 no dhcp-trusted
set interface ge-0/0/8.0 no dhcp-trusted

Step 3.3

set vlan v11 examine-dhcp
set vlan v12 examine-dhcp

Step 3.4

set interface ge-0/0/6.0 static-ip 172.23.11.100 mac 00:26:88:02:11:86
set interface ge-0/0/6.0 static-ip 172.23.11.100 vlan v11

set interface ge-0/0/7.0 static ip 172.23.12.100 mac 00:23:88:02:11:87

set interface ge-0/0/6.0 static-ip 172.23.11.100 vlan v12

show interface ge-0/0/6.0
show interface ge-0/0/7.0

step 3.5

commit
run show dhcp snooping binding

step 3.6

deactivate interface ge-0/0/6.0 allowed-mac
deactivate interface ge-0/0/7.0 mac-limit
commmit

Step 3.7

configure
show | compare rollabck 1
rollback 1
commit

step 3.8

run ping 172.23.11.100 rapid count 10
run ping 1722.23.12.100 rapid count 10

step 3.9

set vlan v11 ip-source-guard
set vlan v12 ip-source-guard
show
commit and-quit

Step 3.10

show ip-source-guard

Step 3.11

run ping 172.23.11.100 raid count 10
run ping 172.23.12.100 raid count 10

Step 3.12

show | compare rollback 1
rollback 1 commit and-quit

Step 3.13

ping 172.23.11.100 rapid count 10
ping 172.23.12.100 rapid count 10

Switch initial config

set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
set protocols rstp interface ge-0/0/9.0 edge
set protocols rstp bpdu-block-on-edge
set protocols lldp interface all
set protocols lldp-med interface all
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

firewall initial config

set version 12.1X46-D10.2
set system host-name STOCKELA-FW-SRXC-1
set system root-authentication encrypted-password "$1$W6wmApmW$Lkj1Gb2YWfx43ZfL27O3H/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.20/24
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/4 unit 0 description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/4
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces vlan unit 0 family inet
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set protocols rstp bridge-priority 4k
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.10
set access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 low 172.23.12.100
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 high 172.23.12.200
set access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

[SRX] Checking and fixing bad blocks.

image_pdfimage_print

Nand-media, check for error in the nand flash memory.
As you can see in the example below errores are being detected.

{primary:node0}
root@FW-SRX-IPSEC> start shell
root@FW-SRX-IPSEC% nand-mediack -C
Media check on da0
    Zone 14 Block 0955 Addr 3bbb00 : Bad read

In order to fix the block, remove -C on the command

root@FW-SRX-IPSEC% nand-mediack
Media check on da0
    Zone 14 Block 0955 Addr 3bbb00 : Bad read
    Recovering Block
root@FW-SRX-IPSEC% nand-mediack
Media check on da0

Perform fsck -f on mounted partitions, and fsck -f -y on non-mounted partitions.
There are four partitions in flash media; Slice1(s1a), Slice2(s2a), and Slice3(s3e, s3f).
It will perform a “NO-WRITE” operation on mounted partitions, and a “WRITE” operation on non-mounted partitions. Mounted and non-mounted partitions can be checked using the df command.

Display partition information.

root@FW-SRX-IPSEC% df
Filesystem   512-blocks    Used  Avail Capacity  Mounted on
/dev/da0s1a     1248744  365464 783384    32%    /
devfs                 2       2      0   100%    /dev
/dev/md0          40024   12616  24208    34%    /junos
/cf/packages    1248744  365464 783384    32%    /junos/cf/packages
devfs                 2       2      0   100%    /junos/cf/dev
/dev/md1        1071448 1071448      0   100%    /junos
/cf               40024   12616  24208    34%    /junos/cf
devfs                 2       2      0   100%    /junos/dev/
/cf/packages    1248744  365464 783384    32%    /junos/cf/packages1
procfs                8       8      0   100%    /proc
/dev/bo0s3e       94304     100  86660     0%    /config
/dev/bo0s3f     1264808  498480 665144    43%    /cf/var
/dev/md2         687744   41992 590736     7%    /mfs
/cf/var/jail    1264808  498480 665144    43%    /jail/var
/cf/var/log     1264808  498480 665144    43%    /jail/var/log
devfs                 2       2      0   100%    /jail/dev
/dev/md3         128728       8 118424     0%    /mfs/var/run/utm
/dev/md4           3768       8   3460     0%    /jail/mfs

run fsck on mounted partitions


There are 3 mounted partitions to check, and on this example, the third one got some bad blocks.

In order to fix bad block on mounted partitions, the devices needs to be booted in single mode.

root@FW-SRX-IPSEC% fsck -f /dev/da0s1a
** /dev/da0s1a (NO WRITE)
** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
161 files, 91366 used, 220820 free (44 frags, 27597 blocks, 0.0% fragmentation)


root@FW-SRX-IPSEC% fsck -f /dev/bo0s3e
** /dev/bo0s3e (NO WRITE)
** Last Mounted on /config
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
13 files, 25 used, 23551 free (15 frags, 2942 blocks, 0.1% fragmentation)


root@FW-SRX-IPSEC% fsck -f /dev/bo0s3f
** /dev/bo0s3f (NO WRITE)
** Last Mounted on /cf/var
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
LINK COUNT DIR I=47  OWNER=root MODE=40755
SIZE=512 MTIME=Aug 25 16:00 2017  COUNT 6 SHOULD BE 4
ADJUST? no

UNREF FILE I=164  OWNER=root MODE=100644
SIZE=0 MTIME=Aug 25 16:03 2017
CLEAR? no

UNREF FILE I=240  OWNER=root MODE=100644
SIZE=130996 MTIME=Aug 27 15:42 2017
CLEAR? no

UNREF FILE I=255  OWNER=root MODE=100644
SIZE=130724 MTIME=Aug 27 15:56 2017
CLEAR? no

** Phase 5 - Check Cyl groups
669 files, 124567 used, 191635 free (379 frags, 23907 blocks, 0.1% fragmentation)

In order to fix this blocks, boot into single mode

Run fsck on non mounted partitions


 

root@FW-SRX-IPSEC% fsck -f -y /dev/da0s2a
** /dev/da0s2a
** Last Mounted on /mfs/tmp/snap-tmp.1533/mnt.1533
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
170 files, 75659 used, 240479 free (23 frags, 30057 blocks, 0.0% fragmentation)
root@FW-SRX-IPSEC%

References


[EX/SRX] Recovering from file system corruption during a system reboot, NAND media utility checks for bad blocks in the NAND flash memory

[SRX] Clear a pending commit

image_pdfimage_print

When entering configuration mode, a message appears indicating changes has been performed but not committed

{master:0}
root@STOCKELA-SW-EX01> configure
Entering configuration mode
The configuration has been changed but not committed

Time to compare candidate configuration with the committed config.

{master:0}[edit]
root@STOCKELA-SW-EX01# show | compare
[edit]
+  chassis {
+      aggregated-devices {
+          ethernet {
+              device-count 1;
+          }
+      }
+  }
[edit interfaces ae0]
+    aggregated-ether-options {
+        lacp {
+            active;
+        }
+    }

 

Discard pendings by performing a rollback 0

{master:0}[edit]
root@STOCKELA-SW-EX01# rollback 0
load complete

{master:0}[edit]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

 

References

 

show uncommited changes

[DRAFT 0.2] Junos Enterprise Switching Lab 1: Implementing Layer 2 Switching

image_pdfimage_print
  1. Lab 1:Implementing Layer 2 Switching

    1. Part 1: Pre setup

    2. Part 2: Configuring Layer 2 Interfaces

    3. Part 3: Monitoring Layer 3 Switching Operations.

 

Lab 1:Implementing Layer 2 Switching.


Basic configuration and monitoring task when implementing layer 2 switching on EX Series ethernet switches.

Tasks:

  • Configure and verify proper operation of Layer 2 network interfaces.
  • Configure and monitor some Ethernet Switching elements.

 

 

Part 1: Pre setup


Step 0

delete interface-range ge-0/0/*
  matched: ge-0/0/0
  matched: ge-0/0/1
  matched: ge-0/0/2
  matched: ge-0/0/3
  matched: ge-0/0/4
  matched: ge-0/0/5
  matched: ge-0/0/6
  matched: ge-0/0/7
  ... 
Delete 28 objects? [yes,no] (no) yes  


{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# delete vlan 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# top
root@SWITCH-STOCKEL-00# delete vlans default l3-interface   

Part 2: Configuring Layer 2 Interfaces


  • Enter configuration mode.
  • Enable some designated interfaces for L2 operations.
  • Check interfaces status.

Step 2.1 Enter configuration mode and edit interfaces.

configure
edit interfaces

Step 2.2 execute show to see interface configuration.

outcome: see only management interface configured.

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# show 
me0 {
    unit 0 {
        family inet {
            address 10.128.10.249/24;
        }
    }
}

Step 2.3 Issue a command on the interface to see outcome.

outcome: preparing an incorrect configuration

root@SWITCH-STOCKEL-00# set ge-0/0/6 unit 1 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> ccc                  Circuit cross-connect parameters
> ethernet-switching   Ethernet switching parameters
> inet                 IPv4 parameters
> inet6                IPv6 protocol parameters

Step 2.4 finish the commnad setting interface as ethernet-switching.

outcome: error.

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# set ge-0/0/6 unit 1 family ethernet-switching 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# commit 
[edit interfaces ge-0/0/6]
  'unit 1'
    Only unit 0 is valid for this encapsulation
error: configuration check-out failed

Step 2.5 Rename interface unit from 1 to 0 and commit.

outcome: interface ge-0/0/6 configured as ethernet-switching.

oot@SWITCH-STOCKEL-00# rename ge-0/0/6 unit 1 to unit 0 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# commit 
configuration check succeeds
commit complete

Step 2.6 Configure the remainder L2 interfaces ge-0/0/7 and ge-/0/0/8.

Outcome: 3 layer2 interfaces configured

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# copy ge-0/0/6 to ge-0/0/7 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# copy ge-0/0/6 to ge-0/0/8 

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# show 
ge-0/0/6 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/7 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/8 {
    unit 0 {
        family ethernet-switching;
    }
}
me0 {
    unit 0 {
        family inet {
            address 10.128.10.249/24;
        }
    }
}

Step 2.7 Commit configuration and show interfaces.

outcome: 3 interfaces should appear as up.

root@SWITCH-STOCKEL-00# commit 
configuration check succeeds
commit complete

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# run show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/1                up    down
ge-0/0/2                up    down
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    down
ge-0/0/6.0              up    down eth-switch
ge-0/0/7                up    down
ge-0/0/7.0              up    down eth-switch
ge-0/0/8                up    down
ge-0/0/8.0              up    down eth-switch
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
ge-0/0/12               up    down
ge-0/0/13               up    down
ge-0/0/14               up    down
ge-0/0/15               up    down
ge-0/0/16               up    down
ge-0/0/17               up    down
ge-0/0/18               up    down
ge-0/0/19               up    down
ge-0/0/20               up    down
ge-0/0/21               up    down
ge-0/0/22               up    down
ge-0/0/23               up    down
bme0                    up    up
bme0.32768              up    up   inet     128.0.0.1/2     
                                            128.0.0.16/2    
                                            128.0.0.32/2    
                                   tnp      0x10            
dsc                     up    up
gre                     up    up
ipip                    up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lsi                     up    up
me0                     up    up
me0.0                   up    up   inet     10.128.10.249/24
mtun                    up    up
pimd                    up    up        
pime                    up    up
tap                     up    up
vlan                    up    up
vme                     up    down

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# 

step 2.8 Save configuration regarding interfaces

outcome: file individual-interfaces.conf

root@SWITCH-STOCKEL-00# save /var/tmp/individual-interfaces.conf 
Wrote 26 lines of configuration to '/var/tmp/individual-interfaces.conf'

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# 

step 2.9 Delete interfaces configured and commit.

outcome: No interfaces configured.

 
{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# wildcard delete ge-* 
  matched: ge-0/0/6
  matched: ge-0/0/7
  matched: ge-0/0/8
Delete 3 objects? [yes,no] (no) yes 


{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# show 
me0 {
    unit 0 {
        family inet {
            address 10.128.10.249/24;
        }
    }
}

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# commit 

step 2.10 Define an interface range and configure them as ethernet-switching.

outcome: interface range L2-interfaces as ethernet-switching.

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# set interface-range L2-interfaces member-range ge-0/0/6 to ge-0/0/8

root@SWITCH-STOCKEL-00# set interface-range L2-interfaces unit 0 family ethernet-switching

{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# show
interface-range L2-interfaces {
member-range ge-0/0/6 to ge-0/0/8;
unit 0 {
family ethernet-switching;
}
}
me0 {
unit 0 {
family inet {
address 10.128.10.249/24;
}
}
}

step 2.11 commit and show interfaces.

outcome: Selected interfaces are configured.

 
{master:0}[edit interfaces]
root@SWITCH-STOCKEL-00# commit and-quit 
configuration check succeeds
commit complete
Exiting configuration mode

{master:0}
root@SWITCH-STOCKEL-00> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/1                up    down
ge-0/0/2                up    down
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    down
ge-0/0/6.0              up    down eth-switch
ge-0/0/7                up    down
ge-0/0/7.0              up    down eth-switch
ge-0/0/8                up    down
ge-0/0/8.0              up    down eth-switch
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
ge-0/0/12               up    down

Part 3: Monitoring Layer 3 Switching Operations


Check the Ethernet Switching Table before and after traffic passes.

Define static MAC entries inthe Ethernet switching table.

Step 3.1

{master:0}
root@STOCKELB-SW-EX02> show ethernet-switching table
Ethernet-switching table: 2 entries, 1 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           00:26:b9:e9:34:95 Learn          0 ge-0/0/5.0


Step 3.4 Ping from SRX to 172.23.21.99

 
root@STOCKELB-FW-SRXC-2> ping 172.23.21.99
PING 172.23.21.99 (172.23.21.99): 56 data bytes
64 bytes from 172.23.21.99: icmp_seq=0 ttl=128 time=8.604 ms
64 bytes from 172.23.21.99: icmp_seq=1 ttl=128 time=2.655 ms
64 bytes from 172.23.21.99: icmp_seq=2 ttl=128 time=2.634 ms
^C
--- 172.23.21.99 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.634/4.631/8.604/2.809 ms

step 3.5

 
{master:0}
root@STOCKELB-SW-EX02> show ethernet-switching table
Ethernet-switching table: 3 entries, 2 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           00:26:b9:e9:34:95 Learn          0 ge-0/0/5.0
  default           3c:8a:b0:2e:d8:85 Learn          0 ge-0/0/8.0

Step 3.6

 
{master:0}
root@STOCKELB-SW-EX02> clear ethernet-switching table

{master:0}
root@STOCKELB-SW-EX02> show ethernet-switching table
Ethernet-switching table: 1 entries, 0 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members

step 3.7

configure
edit ethernet-switching-options

step 3.8

{master:0}[edit ethernet-switching-options]
root@STOCKELB-SW-EX02# set static vlan default mac 00:26:b9:e9:34:95 next-hop ge-0/0/5.0

{master:0}[edit ethernet-switching-options]
root@STOCKELB-SW-EX02# set static vlan default mac 3c:8a:b0:2e:d8:85 next-hop ge-0/0/8.0

root@STOCKELB-SW-EX02# show
static {
    vlan default {
        mac 00:26:b9:e9:34:95 next-hop ge-0/0/5.0;
        mac 3c:8a:b0:2e:d8:85 next-hop ge-0/0/8.0;
    }
}

step 3.9

root@STOCKELB-SW-EX02# commit and-quit
configuration check succeeds
commit complete
Exiting configuration mode

Step 3.10

{master:0}
root@STOCKELB-SW-EX02> show ethernet-switching table
Ethernet-switching table: 3 entries, 0 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           00:26:b9:e9:34:95 Static         - ge-0/0/5.0
  default           3c:8a:b0:2e:d8:85 Static         - ge-0/0/8.0

step 3.11

root@STOCKELB-FW-SRXC-2> ping 172.23.21.99
PING 172.23.21.99 (172.23.21.99): 56 data bytes
64 bytes from 172.23.21.99: icmp_seq=0 ttl=128 time=3.599 ms
64 bytes from 172.23.21.99: icmp_seq=1 ttl=128 time=2.561 ms
^C
--- 172.23.21.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.561/3.080/3.599/0.519 ms

 

root@STOCKELB-SW-EX02# save LAB2-init.conf
Wrote 38 lines of configuration to 'LAB2-init.conf'

 

Appendix:


Initial firewall configuration: STOCKELB-FW-SRXC-2

[edit]
root@STOCKELB-FW-SRXC-2# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
set system host-name STOCKELB-FW-SRXC-2
set system services ssh
set system services telnet
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.23/24
set interfaces fe-0/0/5 unit 0 family inet address 172.23.21.10/24
set interfaces fe-0/0/5 unit 0 family inet address 172.23.22.10/24
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST description "TRUST ZONE"
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces fe-0/0/5.0
set security zones security-zone MGMT description "MGMT ZONE"
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set system root-authentication plain-text-password

Initial Switch configuration

load factory-default
delete
set system host-name STOCKELB-SW-EX02
set system time-zone Europe/Brussels
set snmp description STOCKELB-SW-EX02
set snmp community public authorization read-only
delete interfaces
set interfaces me0 unit 0 family inet address 192.168.12.22/24
set system root-authentication plain-text-password

[DRAFT 0.4] Junos Enterprise Switching LAB 6: Implementing LAG and RTG

image_pdfimage_print

Lab 6 Implementing LAG and RTG


 

Overview


This labs details the steps for a basic configuration and monitoring needed to implement LAG and RTG on EX Series Switches.

The following tasks are performed:

Update the existing configuration.

  • Configure and monitor a link aggregation group (LAG).
  • configure and monitor a redundant trunk gorup (RTG).

 

General design


 

 

Part 0 Initial configurations


 

switch STOCKELA-SW-EX01

set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
set protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set ethernet-switching-options secure-access-port interface ge-0/0/6.0 allowed-mac 00:25:31:04:9b:f4
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit action shutdown
set ethernet-switching-options secure-access-port interface ge-0/0/8.0 dhcp-trusted
set ethernet-switching-options mac-table-aging-time 1000
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

 

Firewall STOCKELA-FW-SRXC-1

set system host-name STOCKELA-FW-SRXC-1
set system root-authentication encrypted-password "$1$W6wmApmW$Lkj1Gb2YWfx43ZfL27O3H/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.20/24
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/1
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/2
set interfaces fe-0/0/4 unit 0 description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/4
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/6
set interfaces vlan unit 0 family inet
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set protocols rstp bridge-priority 4k
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.10
set access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 low 172.23.12.100
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 high 172.23.12.200
set access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

 

Part 1: Configuring and Monitoring a LAG


 

Step 1.1 on the EX switch go to [edit ethernet-switching-options secure-access-port]

configure
edit ethernet-switching-options secure-access-port

step 1.2 Deactivate configuration related to interface ge-0/0/8.0

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# deactivate interface ge-0/0/8.0

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELA-SW-EX01# show
interface ge-0/0/6.0 {
    allowed-mac 00:25:31:04:9b:f4;
}
interface ge-0/0/7.0 {
    mac-limit 1 action shutdown;
}
inactive: interface ge-0/0/8.0 {
    dhcp-trusted;
}

step 1.3 Go to [edit interfaces] and delete ge-0/0/8 and ge-0/0/9

{master:0}[edit ethernet-switching-options secure-access-port]
root@STOCKELB-SW-EX02# top edit interfaces

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# delete ge-0/0/8

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# delete ge-0/0/9
warning: statement not found

step 1.4 set ae0 unit0 family ethernet-switching port-mode trunk that supports all defined VLANS

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# set ae0 unit 0 family ethernet-switching port-mode trunk

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# set ae0 unit 0 family ethernet-switching vlan members all


step 1.5 Configure ge-0/0/8 and ge-0/0/9 as members for ae0 interface

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# set ge-0/0/8 ether-options 802.3ad ae0

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# set ge-0/0/9 ether-options 802.3ad ae0

step 1.6 Activate the configuration using the commit, and then run a show interfaces terse ae0

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# commit
configuration check succeeds
commit complete


{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# run show interfaces terse ae0
error: device ae0 not found

What is the current state of ae0?

step 1.7 go to [edit chassis] and create a single aggregated Ethernet device.

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# top edit chassis

root@STOCKELB-SW-EX02# set aggregated-devices ethernet device-count 1

step 1.8 commit and perform a show interfaces terse ae0

{master:0}[edit chassis]
root@STOCKELB-SW-EX02# commit
configuration check succeeds
commit complete

{master:0}[edit chassis]
root@STOCKELB-SW-EX02# run show interfaces terse ae0
Interface               Admin Link Proto    Local                 Remote
ae0                     up    down
ae0.0                   up    down eth-switch

step 1.9 go to [edit interfaces] and enable lacp then commit.

{master:0}[edit chassis]
root@STOCKELB-SW-EX02# top edit interfaces


root@STOCKELB-SW-EX02# set ae0 aggregated-ether-options lacp active

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# commit

step 1.10 run a show interfaces terse ae0

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# run show interfaces terse ae0
Interface               Admin Link Proto    Local                 Remote
ae0                     up    down
ae0.0                   up    down eth-switch

What is the current state of the ae0 interface?

Up administratively, link down

 

step 1.11 Create a single aggregated Ethernet device.

on SRX

root@STOCKELB-FW-SRXC-2> configure 
Entering configuration mode

[edit] root@STOCKELB-FW-SRXC-2# set chassis aggregated-devices ethernet device-count 1 

step 1.12 go to [edit interfaces] and configure an aggregated ethernet interface named ae0.

configure ae0 interface for L2 operations as a trunk port that supports all defined VLANs. Enable LACP active mode.

on SRX

[edit]
root@STOCKELB-FW-SRXC-2# edit interfaces 

[edit interfaces]
root@STOCKELB-FW-SRXC-2# set ae0 unit 0 family ethernet-switching port-mode trunk 

[edit interfaces]
root@STOCKELB-FW-SRXC-2# set ae0 unit 0 family ethernet-switching vlan members all 

[edit interfaces]
root@STOCKELB-FW-SRXC-2# set ae0 aggregated-ether-options lacp active 


step 1.13 commit and run a show interfaces terse ae0

on SRX

[edit interfaces]
root@STOCKELB-FW-SRXC-2# commit 
commit complete

[edit interfaces]
root@STOCKELB-FW-SRXC-2# run show interfaces terse ae0 
Interface               Admin Link Proto    Local                 Remote
ae0                     up    down
ae0.0                   up    down eth-switch

What is the current state of the ae0 interface?

 

step 1.14 delete interfaces fe-0/0/5 fe-0/04 configurations and then create them as a part of the ae0

on SRX

[edit interfaces]
root@STOCKELB-FW-SRXC-2# delete fe-0/0/5              

[edit interfaces]
root@STOCKELB-FW-SRXC-2# delete fe-0/0/4    
warning: statement not found

[edit interfaces]
root@STOCKELA-FW-SRXC-1# set fe-0/0/4 fastether-options 802.3ad ae0

[edit interfaces]
root@STOCKELA-FW-SRXC-1# set fe-0/0/5 fastether-options 802.3ad ae0


step 1.15 commit and perform a show interfaces terse ae0

on SRX

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit 


[edit interfaces]
root@STOCKELA-FW-SRXC-1# run show interfaces terse ae0
Interface               Admin Link Proto    Local                 Remote
ae0                     up    down
ae0.0                   up    down eth-switch

step 1.15a set speed on switch for both interfaces belonging to ae to 100m

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ge-0/0/8 ether-options speed 100m

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ge-0/0/9 ether-options speed 100m


{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# run show interfaces ae0 terse
Interface               Admin Link Proto    Local                 Remote
ae0                     up    up
ae0.0                   up    up   eth-switch

step 1.16 run show lacp statistics interfaces

on SRX

[edit]
root@STOCKELA-FW-SRXC-1# run show lacp statistics interfaces
Aggregated interface: ae0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      fe-0/0/4                 593         594            0            0
      fe-0/0/5                 594         595            0            0

[edit]
root@STOCKELA-FW-SRXC-1# run show lacp statistics interfaces
Aggregated interface: ae0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      fe-0/0/4                 598         598            0            0
      fe-0/0/5                 599         600            0            0

is your assigned SRX gateway sending and receiving LACP messages?

 

Part 2: Configuring and Monitoring a Redundant Trunk Group


On this lab the configurations will be setup to support a redundant trunk group (RTG).

 

Step 2.1 enable interface activate fe-0/0/1, activate fe-0/0/2, activate fe-0/0/X

on SRX

[edit interfaces]
root@STOCKELA-FW-SRXC-1# activate fe-0/0/1

[edit interfaces]
root@STOCKELA-FW-SRXC-1# activate fe-0/0/2

[edit interfaces]
root@STOCKELA-FW-SRXC-1# activate fe-0/0/6

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit and-quit
commit complete
Exiting configuration mode

Step 2.2 configure ge-0/0/10 for L2 operations as a trunk port that supports all defined VLANs.

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ge-0/0/10 unit 0 family ethernet-switching vlan members all

step 2.3 commit and perform show interfaces terse ge-0/0/10

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# run show interfaces terse ge-0/0/10
Interface               Admin Link Proto    Local                 Remote
ge-0/0/10               up    up
ge-0/0/10.0             up    up   eth-switch

What is the state of the ge-0/0/10 ?

 

step 2.4 go to [edit ethernet-switching-options redundadn-trunk-group] and configure a new redundant trunk group named rtg-1 that includes ae0 and ge-0/0/10 interfaces. Ensure the ae0 interface is always selected as active when its operational.

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# top edit ethernet-switching-options redundant-trunk-group

{master:0}[edit ethernet-switching-options redundant-trunk-group]
root@STOCKELA-SW-EX01# set group rtg-1 interface ae0.0 primary

{master:0}[edit ethernet-switching-options redundant-trunk-group]
root@STOCKELA-SW-EX01# set group rtg-1 interface ge-0/0/10.0

{master:0}[edit ethernet-switching-options redundant-trunk-group]
root@STOCKELA-SW-EX01# show
group rtg-1 {
    interface ge-0/0/10.0;
    interface ae0.0 {
        primary;
    }
}

step 2.5 commit

root@STOCKELA-SW-EX01# commit
error: XSTP : msti 0 STP and RTG cannot be enabled on the same interface ae0.0
error: configuration check-out failed

step 2.6 go to [edit protocols] and deactivate RSTP. Commit

{master:0}[edit ethernet-switching-options redundant-trunk-group]
root@STOCKELA-SW-EX01# top edit protocols

{master:0}[edit protocols]
root@STOCKELA-SW-EX01# show
igmp-snooping {
    vlan all;
}
rstp;
lldp {
    interface all;
}
lldp-med {
    interface all;
}
{master:0}[edit protocols]
root@STOCKELA-SW-EX01# deactivate rstp

{master:0}[edit protocols]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

did the commit succeed?

 

step 2.7 run show redundant-trunk-group command

{master:0}[edit protocols]
root@STOCKELA-SW-EX01# run show redundant-trunk-group
Group      Interface   State       Time of last flap                      Flap
name                                                                      count

rtg-1      ae0.0       Up/Pri/Act  Never                                      0
           ge-0/0/10.0 Up          Never                                      0

What is the current state of the participating interfaces?

 

step 2.8 go to [edit interfaces] and disable ae0 interface, then commit.

{master:0}[edit protocols]
root@STOCKELA-SW-EX01# top edit interfaces

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ae0 disable

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

step 2.9 Issue the run show redundant-trunk-group command and determine the current state assigned to the participating interfaces.

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# run show redundant-trunk-group
Group      Interface   State       Time of last flap                      Flap
name                                                                      count

rtg-1      ae0.0       Dwn/Pri     2017-09-03 15:28:10 CEST (00:00:55 ago)     1
           ge-0/0/10.0 Up/Act      Never                                      0

Did the state of the interfaces change based on your current configuration change?

What does the Pri reference under the state column indicate?

step 2.10 Re-enable the ae0 interface. Activate the configuration change and return to operation using the commit and-quit command.

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# delete ae0 disable

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# commit and-quit
configuration check succeeds
commit complete
Exiting configuration mode

step 2.11 show redundant-trunk-group command to determine if the ae0.0 interface has resumed the active role for the rtg-1 group.

{master:0}
root@STOCKELA-SW-EX01> show redundant-trunk-group
Group      Interface   State       Time of last flap                      Flap
name                                                                      count

rtg-1      ae0.0       Up/Pri/Act  2017-09-03 15:29:43 CEST (00:00:02 ago)     2
           ge-0/0/10.0 Up          Never

 

References


No connectivity with LACP on ae-interface between SRX and EX

 

 

Initial configurations


 

STOCKELB-SW-EX02

set version 12.3R12.4
set system host-name STOCKELB-SW-EX02
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$1dqQJf8G$a8sgBWST/thcNreJ5yRDm/"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v21
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v21
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v22
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members v30
set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members v30
set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members v30
set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members v30
set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members v30
set interfaces ge-0/0/17 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/17 unit 0 family ethernet-switching vlan members v30
set interfaces me0 unit 0 family inet address 192.168.12.22/24
set interfaces vlan unit 21 description "VLAN 21"
set interfaces vlan unit 21 family inet address 172.23.21.1/24
set interfaces vlan unit 22 description "VLAN 22"
set interfaces vlan unit 22 family inet address 172.23.22.1/24
set interfaces vlan unit 30 description "Command & Control"
set interfaces vlan unit 30 family inet address 172.20.30.1/24
set snmp description SWITCH-STOCKEL-01
set snmp community public authorization read-only
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.1
set protocols igmp-snooping vlan all
set protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set vlans default
set vlans v11 vlan-id 11
set vlans v12 vlan-id 12
set vlans v21 vlan-id 21
set vlans v21 l3-interface vlan.21
set vlans v22 vlan-id 22
set vlans v22 l3-interface vlan.22
set vlans v30 vlan-id 30
set vlans v30 l3-interface vlan.30
set poe interface all

STOCKELB-FW-SRXC-2

set version 12.1X46-D10.2
set system host-name STOCKELB-FW-SRXC-2
set system root-authentication encrypted-password "$1$jpgvhT0x$du2LUeP0atWHbEnsrVqNU0"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN21 interface vlan.21
set system services dhcp-local-server group DHCP_POOL_VLAN22 interface vlan.22
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.23/24
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.11/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.11/24
set interfaces vlan unit 21 description "VLAN UNIT 21"
set interfaces vlan unit 21 family inet address 172.23.21.10/24
set interfaces vlan unit 22 description "VLAN UNIT 22"
set interfaces vlan unit 22 family inet address 172.23.22.10/24
set routing-options static route 172.23.11.0/24 next-hop 172.23.11.10
set routing-options static route 172.23.12.0/24 next-hop 172.23.12.10
set protocols rstp bridge-priority 4k
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST description "TRUST ZONE"
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.22 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.22 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.21 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.21 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces vlan.21 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces fe-0/0/2.0
set security zones security-zone TRUST interfaces fe-0/0/1.0
set security zones security-zone TRUST interfaces fe-0/0/6.0
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN21 family inet network 172.23.21.0/24
set access address-assignment pool DHCP_POOL_VLAN21 family inet range DHCP_RANGE_VLAN21 low 172.23.21.100
set access address-assignment pool DHCP_POOL_VLAN21 family inet range DHCP_RANGE_VLAN21 high 172.23.21.200
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes router 172.23.21.10
set access address-assignment pool DHCP_POOL_VLAN22 family inet network 172.23.22.0/24
set access address-assignment pool DHCP_POOL_VLAN22 family inet range DHCP_RANGE_VLAN22 low 172.23.22.100
set access address-assignment pool DHCP_POOL_VLAN22 family inet range DHCP_RANGE_VLAN22 high 172.23.22.200
set access address-assignment pool DHCP_POOL_VLAN22 family inet dhcp-attributes router 172.23.22.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v21 l3-interface vlan.21
set vlans v22 vlan-id 22
set vlans v22 l3-interface vlan.22

final config switch STOCKELA-SW-EX01

set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 ether-options speed 100m
set interfaces ge-0/0/8 ether-options 802.3ad ae0
set interfaces ge-0/0/9 ether-options speed 100m
set interfaces ge-0/0/9 ether-options 802.3ad ae0
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members all
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
deactivate protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set ethernet-switching-options secure-access-port interface ge-0/0/6.0 allowed-mac 00:25:31:04:9b:f4
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/7.0 mac-limit action shutdown
set ethernet-switching-options secure-access-port interface ge-0/0/8.0 dhcp-trusted
deactivate ethernet-switching-options secure-access-port interface ge-0/0/8.0
set ethernet-switching-options mac-table-aging-time 1000
set ethernet-switching-options redundant-trunk-group group rtg-1 interface ge-0/0/10.0
set ethernet-switching-options redundant-trunk-group group rtg-1 interface ae0.0 primary
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

final config firewall STOCKELA-FW-SRXC-1

set version 12.1X46-D10.2
set system host-name STOCKELA-FW-SRXC-1
set system root-authentication encrypted-password "$1$W6wmApmW$Lkj1Gb2YWfx43ZfL27O3H/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set chassis aggregated-devices ethernet device-count 1
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.20/24
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/4 fastether-options 802.3ad ae0
set interfaces fe-0/0/5 fastether-options 802.3ad ae0
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces vlan unit 0 family inet
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set protocols rstp bridge-priority 4k
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.10
set access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 low 172.23.12.100
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 high 172.23.12.200
set access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

[DRAFT 0.7] Junos Enterprise Switching LAB 3: Implementing Spanning Tree

image_pdfimage_print

Lab 3: Implementing Spanning Tree


    1. Part 1 modifying existing configuration.

    2. Part 2 : configuring and Monitoring RSTP.

    3. Part 3 Configuring and Monitoring BPDU Protection.

 

 

 

 

 

 

 

Part 0 preparing SRXC-1:


  • Handle DHCP from designated VLANS.
  • Management Interface
  • Three access ports, for VLAN21 & VLAN22
  • One Trunk on port fe-0/0/5 to interconnect to SWITCH.
  • Set system services: DHCP and ping on interfaces.
  • Assign .10 ip address on each VLAN.
  • Allow traffic inter VLAN.
  • Define VLANS VLAN11 and VLAN12.
  • Interfaces 1,2,6 disabled.
  • RSTP configured with priority 4K disabled.

 

set version 12.1X46-D10.2
set system host-name STOCKELA-FW-SRXC-1
set system root-authentication encrypted-password "$1$W6wmApmW$Lkj1Gb2YWfx43ZfL27O3H/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.20/24
set interfaces fe-0/0/4 unit 0 description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/4
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "  
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk    
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all 
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "   
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk           
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all    
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"      
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk        
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all     
deactivate interfaces fe-0/0/1
deactivate interfaces fe-0/0/2
deactivate interfaces fe-0/0/6
set interfaces vlan unit 0 family inet
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set protocols rstp bridge-priority 4k
deactivate protocols rstp
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.10
set access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 low 172.23.12.100
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 high 172.23.12.200
set access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

 

Part 0 preparing on switch


 

  • Interfaces 1,4,6,7,
  • Interface 8 as trunk, passing vlan v12 &v12
  • vlan 11 & vlan 12 ip addresses

 

set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v12
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
set protocols lldp interface all
set protocols lldp-med interface all
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12

Part 1 modifying existing configuration


Device’s configurations will be modified for the subsequent lab parts.

Step 1.1 On EX enter configuration mode and go to [edit vlans]

root@STOCKELA-SW-EX01# edit vlans

Step 1.2 Add VLANs assigned to virtual routers attached to the remote team’s switch.  In total there should be now 4 vlans on the switch.

{master:0}
{master:0}[edit]
root@STOCKELA-SW-EX01# set vlans v21 vlan-id 21

{master:0}[edit]
root@STOCKELA-SW-EX01# set vlans v22 vlan-id 22

[edit vlans]
root@STOCKELA-SW-EX01# show
default;
v11 {
    vlan-id 11;
    l3-interface vlan.11;
}
v12 {
    vlan-id 12;
    l3-interface vlan.12;
}
v21 {
    vlan-id 21;
}
v22 {
    vlan-id 22;
}

Step 1.3 go to [edit interfaces] and associate ge-0/0/8.0 with all the vlans.

{master:0}[edit]
root@STOCKELA-SW-EX01# show interfaces ge-0/0/8
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ v11 v12 ];
        }
    }
}

{master:0}[edit]
root@STOCKELA-SW-EX01# delete interfaces ge-0/0/8 unit 0 family ethernet-switching vlan

{master:0}[edit]
root@STOCKELA-SW-EX01# set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members all

{master:0}[edit]
root@STOCKELA-SW-EX01# show interfaces ge-0/0/8
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

Step 1.4 copy config from ge-0/0/8 to ge-0/0/10

{master:0}[edit interfaces]
root@STOCKELB-SW-EX02# copy ge-0/0/8 to ge-0/0/10

{master:0}
[edit interfaces]
root@STOCKELA-SW-EX01# show ge-0/0/10
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

Step 1.5 commit and run ‘show ethernet-switching interfaces”

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   down   default                   untagged unblocked
ge-0/0/4.0   down   v11                 11    untagged unblocked
ge-0/0/6.0   up     v11                 11    untagged unblocked
ge-0/0/7.0   up     v12                 12    untagged unblocked
ge-0/0/8.0   up     v11                 11    tagged   unblocked
                    v12                 12    tagged   unblocked
                    v21                 21    tagged   unblocked
                    v22                 22    tagged   unblocked
ge-0/0/10.0  up     v11                 11    tagged   unblocked
                    v12                 12    tagged   unblocked
                    v21                 21    tagged   unblocked
                    v22                 22    tagged   unblocked

Is any of the interfaces listed currently blocking traffic?

 

Step 1.6 enter configuration mode and go to edit interfaces
ON srx

configure
edit interfaces

Step 1.7 activate interfaces 1,2,6
ON srx

activate fe-0/0/1
activate fe-0/0/2
activate fe-0/0/6
commit and-quit

 

Part 2 : configuring and Monitoring RSTP


In this lab RSTP will be configured and monitored:

  • First, some ping tests to identify the need for spanning tree within a Layer 2 network.
  • Next, configure RSTP on the assigned devices.
  • Finally verify the effects of enabling RSTP in a layer 2 network with redundant paths.

 

Step 2.1 ping VLAN ip address on the switch

ON SRX STOCKELA-FW-SRXC-1

When pinging, check for the sequence and for DUP!, that often indicate Layer 2 loop.

root@STOCKELA-FW-SRXC-1> ping 172.23.12.1
PING 172.23.12.1 (172.23.12.1): 56 data bytes
64 bytes from 172.23.12.1: icmp_seq=3 ttl=64 time=203.735 ms
64 bytes from 172.23.12.1: icmp_seq=4 ttl=64 time=76.668 ms
64 bytes from 172.23.12.1: icmp_seq=4 ttl=64 time=79.314 ms (DUP!)
64 bytes from 172.23.12.1: icmp_seq=13 ttl=64 time=139.786 ms
64 bytes from 172.23.12.1: icmp_seq=13 ttl=64 time=142.470 ms (DUP!)
64 bytes from 172.23.12.1: icmp_seq=13 ttl=64 time=144.532 ms (DUP!)
64 bytes from 172.23.12.1: icmp_seq=17 ttl=64 time=76.296 ms
^C
--- 172.23.12.1 ping statistics ---
20 packets transmitted, 4 packets received, +3 duplicates, 80% packet loss
round-trip min/avg/max/stddev = 76.296/123.257/203.735/44.527 ms

root@STOCKELA-FW-SRXC-1> ping 172.23.11.1
PING 172.23.11.1 (172.23.11.1): 56 data bytes
64 bytes from 172.23.11.1: icmp_seq=7 ttl=64 time=89.877 ms
64 bytes from 172.23.11.1: icmp_seq=9 ttl=64 time=50.761 ms
64 bytes from 172.23.11.1: icmp_seq=10 ttl=64 time=183.938 ms
64 bytes from 172.23.11.1: icmp_seq=12 ttl=64 time=79.573 ms
64 bytes from 172.23.11.1: icmp_seq=22 ttl=64 time=242.291 ms
^C
--- 172.23.11.1 ping statistics ---
24 packets transmitted, 5 packets received, 79% packet loss
round-trip min/avg/max/stddev = 50.761/129.288/242.291/72.038 ms

STOCKELA-FW-SRXC-2

root@STOCKELB-FW-SRXC-2> ping 172.23.22.100    
PING 172.23.22.100 (172.23.22.100): 56 data bytes
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=9.507 ms
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=11.762 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=13.802 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=15.831 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=17.865 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=19.919 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=22.176 ms (DUP!)
64 bytes from 172.23.22.100: icmp_seq=0 ttl=64 time=24.634 ms (DUP!)

root@STOCKELB-FW-SRXC-2> ping 172.23.21.100    
PING 172.23.21.100 (172.23.21.100): 56 data bytes
64 bytes from 172.23.21.100: icmp_seq=0 ttl=64 time=96.930 ms
64 bytes from 172.23.21.100: icmp_seq=0 ttl=64 time=98.644 ms (DUP!)
64 bytes from 172.23.21.100: icmp_seq=0 ttl=64 time=100.514 ms (DUP!)
64 bytes from 172.23.21.100: icmp_seq=0 ttl=64 time=102.387 ms (DUP!)
64 bytes from 172.23.21.100: icmp_seq=0 ttl=64 time=104.499 ms (DUP!)
64 bytes from 172.23.21.100: icmp_seq=36 ttl=64 time=2.607 ms
64 bytes from 172.23.21.100: icmp_seq=37 ttl=64 time=2.710 ms
 
set vlans v11 l3-interface vlan.11  
set vlans v12 l3-interface vlan.12    
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.11/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.11/24
set vlans v21 l3-interface vlan.21  
set vlans v22 l3-interface vlan.22    
set interfaces vlan unit 21 description "VLAN UNIT 21"
set interfaces vlan unit 21 family inet address 172.23.21.11/24
set interfaces vlan unit 22 description "VLAN UNIT 22"
set interfaces vlan unit 22 family inet address 172.23.22.11/24

step 2.2 Activate RSTP configuration.
on SRX

 
[edit]
root@STOCKELB-FW-SRXC-2# show protocols
inactive: rstp {
    bridge-priority 4k;
}

[edit]
root@STOCKELB-FW-SRXC-2# activate protocols rstp

[edit]
root@STOCKELB-FW-SRXC-2# commit and-quit
commit complete
Exiting configuration mode


Step 2.3 Enable RSTP protocol. Activate the configuration changes and return to operational mode.

 
{master:0}
root@STOCKELB-SW-EX02> configure
Entering configuration mode

{master:0}[edit]
root@STOCKELB-SW-EX02# top set protocols rstp

{master:0}[edit]
root@STOCKELB-SW-EX02# commit and-quit
configuration check succeeds
commit complete
Exiting configuration mode

Step 2.4 issue show spanning-tree bridge

 

 
{master:0}
root@STOCKELA-SW-EX01> show spanning-tree bridge

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 4096.3c:61:04:d8:2e:08
  Root cost                         : 200000
  Root port                         : ge-0/0/8.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 2
  Time since last topology change   : 174 seconds
  Topology change initiator         : ge-0/0/8.0
  Topology change last recvd. from  : 3c:8a:b0:2e:d8:86
  Local parameters
    Bridge ID                       : 32768.a8:d0:e5:b8:86:c1
    Extended system ID              : 0
    Internal instance ID            : 0

{master:0}
root@STOCKELA-SW-EX01> show chassis mac-addresses
    FPC 0   MAC address information:
      Public base address     a8:d0:e5:b8:86:c0
      Public count            64


{master:0}
root@STOCKELB-SW-EX02> show spanning-tree bridge

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 4096.3c:61:04:d8:2e:08
  Root cost                         : 200000
  Root port                         : ge-0/0/10.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 1
  Time since last topology change   : 218 seconds
  Topology change initiator         : ge-0/0/10.0
  Topology change last recvd. from  : 3c:8a:b0:2e:d8:85
  Local parameters
    Bridge ID                       : 32768.a8:d0:e5:b5:3f:c1
    Extended system ID              : 0
    Internal instance ID            : 0



step 2.5 run show spanning-tree interface to determine the state and role of each switch port.

{master:0}
root@STOCKELA-SW-EX01> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
ge-0/0/6.0     128:519      128:519  32768.a8d0e5b886c1     20000  FWD    DESG
ge-0/0/7.0     128:520      128:520  32768.a8d0e5b886c1    200000  FWD    DESG
ge-0/0/8.0     128:521      128:518   4096.3c6104d82e08    200000  FWD    ROOT
ge-0/0/10.0    128:523      128:519   8192.3c8ab02ed888    200000  BLK    ALT
 
{master:0}
root@STOCKELB-SW-EX02> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
ge-0/0/6.0     128:519      128:519  32768.a8d0e5b53fc1    200000  FWD    DESG
ge-0/0/7.0     128:520      128:520  32768.a8d0e5b53fc1    200000  FWD    DESG
ge-0/0/8.0     128:521      128:518   8192.3c8ab02ed888    200000  BLK    ALT
ge-0/0/10.0    128:523      128:519   4096.3c6104d82e08    200000  FWD    ROOT

step 2.6 show ethernet-switching interfaces to view the effect of the spanning tree calculations

{master:0}
root@STOCKELA-SW-EX01> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   down   default                   untagged blocked by STP
ge-0/0/4.0   down   v11                 11    untagged blocked by STP
ge-0/0/6.0   up     v11                 11    untagged unblocked
ge-0/0/7.0   up     v12                 12    untagged unblocked
ge-0/0/8.0   up     v11                 11    tagged   unblocked
                    v12                 12    tagged   unblocked
                    v21                 21    tagged   unblocked
                    v22                 22    tagged   unblocked
ge-0/0/10.0  up     v11                 11    tagged   blocked by STP
                    v12                 12    tagged   blocked by STP
                    v21                 21    tagged   blocked by STP
                    v22                 22    tagged   blocked by STP

step 2.7 show ethernet-switching interface detail

 
{master:0}
root@STOCKELA-SW-EX01> show spanning-tree interface ge-0/0/8 detail

Spanning tree interface parameters for instance 0

Interface name                 : ge-0/0/8.0
Port identifier                : 128.521
Designated port ID             : 128.518
Port cost                      : 200000
Port state                     : Forwarding
Designated bridge ID           : 4096.3c:61:04:d8:2e:08
Port role                      : Root
Link type                      : Pt-Pt/NONEDGE
Boundary port                  : NA
Edge delay while expiry count  : 0
Rcvd info while expiry count   : 0

step 2.8 show ethernet-switching interface

 
{master:0}
root@STOCKELA-SW-EX01> show spanning-tree interface ge-0/0/6 detail

Spanning tree interface parameters for instance 0

Interface name                 : ge-0/0/6.0
Port identifier                : 128.519
Designated port ID             : 128.519
Port cost                      : 20000
Port state                     : Forwarding
Designated bridge ID           : 32768.a8:d0:e5:b8:86:c1
Port role                      : Designated
Link type                      : Pt-Pt/EDGE
Boundary port                  : NA
Edge delay while expiry count  : 1
Rcvd info while expiry count   : 0



{master:0}
root@STOCKELA-SW-EX01> show interfaces ge-0/0/6 extensive | match "Link mode"
        Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps

step 2.9 ping the ip addresses of the VLAN interfaces

ON SRX

 
[edit]
root@STOCKELA-FW-SRXC-1# run ping 172.23.11.1 count 10 rapid
PING 172.23.11.1 (172.23.11.1): 56 data bytes
!!!!!!!!!!
--- 172.23.11.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.070/4.960/8.450/1.273 ms

[edit]
root@STOCKELA-FW-SRXC-1# run ping 172.23.12.1 count 10 rapid
PING 172.23.12.1 (172.23.12.1): 56 data bytes
!!!!!!!!!!
--- 172.23.12.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.252/4.855/6.396/0.651 ms

Part 3 Configuring and Monitoring BPDU Protection.


Protection features will be enabled.

  • Enable ge-0/0/9.0 interface for Layer 2 operations.
  • Configure BPDU protection and monitor the effects of this protection feature.
  • Administratively clear a BPDU error condition.

step 3.1 enter configuration mode and [edit interfaces]

 
{master:0}
root@STOCKELA-SW-EX01> configure
Entering configuration mode

{master:0}[edit]
root@STOCKELA-SW-EX01# edit interfaces

step 3.2 enable interface – for layer 2 operations. set ge-0/0/9 unit 0 family ethernet-swtiching

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# set ge-0/0/9 unit 0 family ethernet-switching

step 3.3 go to [edit protocols rstp] hierqrchy. Define port 9 as and edge port.

{master:0}[edit interfaces]
root@STOCKELA-SW-EX01# top edit protocols rstp

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# set interface ge-0/0/9.0 edge

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# commit
configuration check succeeds
commit complete

step 3.4 run show spanning-tree interface 9 detail.

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run show spanning-tree interface ge-0/0/9.0 detail

Spanning tree interface parameters for instance 0

Interface name                 : ge-0/0/9.0
Port identifier                : 128.522
Designated port ID             : 128.522
Port cost                      : 200000
Port state                     : Forwarding
Designated bridge ID           : 32768.a8:d0:e5:b8:86:c1
Port role                      : Designated
Link type                      : Pt-Pt/EDGE
Boundary port                  : NA
Edge delay while expiry count  : 1
Rcvd info while expiry count   : 0

step 3.5 enable BPDU protection feature.

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# set bpdu-block-on-edge
commit

step 3.6 show ethernet-switching interfaces.

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   down   default                   untagged blocked by STP
ge-0/0/4.0   down   v11                 11    untagged blocked by STP
ge-0/0/6.0   up     v11                 11    untagged unblocked
ge-0/0/7.0   up     v12                 12    untagged unblocked
ge-0/0/8.0   up     v11                 11    tagged   unblocked
                    v12                 12    tagged   unblocked
                    v21                 21    tagged   unblocked
                    v22                 22    tagged   unblocked
ge-0/0/9.0   up     default                   untagged unblocked
ge-0/0/10.0  up     v11                 11    tagged   blocked by STP
                    v12                 12    tagged   blocked by STP
                    v21                 21    tagged   blocked by STP
                    v22                 22    tagged   blocked by STP

step 3.7 go to edit interfaces.

On Srx

 
[edit]
root@STOCKELA-FW-SRXC-1# edit interfaces

step 3.8 activate interface 9

on srx

[edit interfaces]
root@STOCKELA-FW-SRXC-1# show fe-0/0/4
##
## inactive: interfaces fe-0/0/4
##
unit 0 {
    description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH";
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

[edit interfaces]
root@STOCKELA-FW-SRXC-1# activate fe-0/0/4

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit

step 3.9 show ethernet-switching interfaces to see interface 9 status.

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   down   default                   untagged blocked by STP
ge-0/0/4.0   down   v11                 11    untagged blocked by STP
ge-0/0/6.0   up     v11                 11    untagged unblocked
ge-0/0/7.0   up     v12                 12    untagged unblocked
ge-0/0/8.0   up     v11                 11    tagged   unblocked
                    v12                 12    tagged   unblocked
                    v21                 21    tagged   unblocked
                    v22                 22    tagged   unblocked
ge-0/0/9.0   down   default                   untagged Disabled by bpdu-control
ge-0/0/10.0  up     v11                 11    tagged   blocked by STP
                    v12                 12    tagged   blocked by STP
                    v21                 21    tagged   blocked by STP
                    v22                 22    tagged   blocked by STP

step 3.10 show spanning-tree interface 9 detail

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run show spanning-tree interface ge-0/0/9.0 detail

Spanning tree interface parameters for instance 0

Interface name                 : ge-0/0/9.0
Port identifier                : 128.522
Designated port ID             : 128.522
Port cost                      : 200000
Port state                     : Blocking
Designated bridge ID           : 32768.a8:d0:e5:b8:86:c1
Port role                      : Disabled (Bpdu-Inconsistent)
Link type                      : Pt-Pt/EDGE
Boundary port                  : NA
Edge delay while expiry count  : 2
Rcvd info while expiry count   : 0

Step 3.11 deactivate interface 9
On Srx

[edit interfaces]
root@STOCKELA-FW-SRXC-1# deactivate fe-0/0/4

[edit interfaces]
root@STOCKELA-FW-SRXC-1# show fe-0/0/4
##
## inactive: interfaces fe-0/0/4
##
unit 0 {
    description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH";
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members all;
        }
    }
}

[edit interfaces]
root@STOCKELA-FW-SRXC-1# commit and-quit
commit complete

step 3.12 clear bpdu error condition

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run clear ethernet-switching bpdu-error

{master:0}[edit protocols rstp]
root@STOCKELA-SW-EX01# run show ethernet-switching interfaces ge-0/0/9.0
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/9.0   up     default                   untagged unblocked

appendix


 

Firewall STOCKELB-FW-SRXC-2 Initial configuration


set version 12.1X46-D10.2
set system host-name STOCKELB-FW-SRXC-2
set system root-authentication encrypted-password "$1$88KlVe5k$296/U91XcH1yQd3l7fesf0"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services dhcp-local-server group DHCP_POOL_VLAN21 interface vlan.21
set system services dhcp-local-server group DHCP_POOL_VLAN22 interface vlan.22
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.23/24
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "  
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk    
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all 
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "   
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk           
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all    
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"      
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk        
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/4 unit 0 description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/4     
deactivate interfaces fe-0/0/1
deactivate interfaces fe-0/0/2
deactivate interfaces fe-0/0/6
set interfaces vlan unit 0 family inet
set interfaces vlan unit 21 description "VLAN unit 21"
set interfaces vlan unit 21 family inet address 172.23.21.10/24
set interfaces vlan unit 22 description "VLAN unit 22"
set interfaces vlan unit 22 family inet address 172.23.22.10/24
set protocols rstp bridge-priority 8k
deactivate protocols rstp
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST description "TRUST ZONE"
set security zones security-zone TRUST interfaces vlan.21 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.21 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.22 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.22 host-inbound-traffic system-services ping
set security zones security-zone MGMT description "MGMT ZONE"
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN21 family inet network 172.23.21.0/24
set access address-assignment pool DHCP_POOL_VLAN21 family inet range DHCP_RANGE_VLAN11 low 172.23.21.100
set access address-assignment pool DHCP_POOL_VLAN21 family inet range DHCP_RANGE_VLAN11 high 172.23.21.200
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN21 family inet dhcp-attributes router 172.23.21.1
set access address-assignment pool DHCP_POOL_VLAN22 family inet network 172.23.22.0/24
set access address-assignment pool DHCP_POOL_VLAN22 family inet range DHCP_RANGE_VLAN22 low 172.23.22.100
set access address-assignment pool DHCP_POOL_VLAN22 family inet range DHCP_RANGE_VLAN22 high 172.23.22.200
set access address-assignment pool DHCP_POOL_VLAN22 family inet dhcp-attributes router 172.23.22.1
set vlans v11 vlan-id 11
set vlans v12 vlan-id 12
set vlans v21 vlan-id 21
set vlans v21 l3-interface vlan.21
set vlans v22 vlan-id 22
set vlans v22 l3-interface vlan.22

Switch STOCKELB-SW-EX02 Initial configuration


root@STOCKELB-SW-EX02# show | display set
set system host-name STOCKELB-SW-EX02
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$HXtUAkvv$Nl4GhwHVuJb1iXmYlOY020"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v21
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v22
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v21
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v22
set interfaces me0 unit 0 family inet address 192.168.12.22/24
set interfaces vlan unit 21 description "VLAN 21"
set interfaces vlan unit 21 family inet address 172.23.21.1/24
set interfaces vlan unit 22 description "VLAN 22"
set interfaces vlan unit 22 family inet address 172.23.22.1/24
set snmp description STOCKELB-SW-EX02
set snmp community public authorization read-only
set vlans v21 vlan-id 21
set vlans v21 l3-interface vlan.21
set vlans v22 vlan-id 22
set vlans v22 l3-interface vlan.22

Switch STOCKELA-SW-EX01 Final configuration

set version 12.3R12.4
set system host-name STOCKELA-SW-EX01
set system time-zone Europe/Brussels
set system root-authentication encrypted-password "$1$ZLUrOTEQ$FvkAD2w7Mdjo2lTVOikvX0"
set system name-server 192.168.10.2
set system name-server 192.168.12.10
set system services ssh
set system syslog host 10.128.100.102 any any
set system syslog file messages any info
set system syslog file default-log-messages any any
set system ntp server 193.104.37.238
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members v11
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members v12
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members all
set interfaces me0 unit 0 family inet address 192.168.12.21/24
set interfaces vlan unit 11 description "VLAN 11"
set interfaces vlan unit 11 family inet address 172.23.11.1/24
set interfaces vlan unit 12 description "VLAN 12"
set interfaces vlan unit 12 family inet address 172.23.12.1/24
set snmp description STOCKELA-SW-EX01
set snmp community public authorization read-only
set protocols igmp-snooping vlan all
set protocols rstp interface ge-0/0/9.0 edge
set protocols rstp bpdu-block-on-edge
set protocols lldp interface all
set protocols lldp-med interface all
set vlans default
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

Switch STOCKELA-SW-EX01 Final configuration

set system host-name STOCKELA-FW-SRXC-1
set system root-authentication encrypted-password "$1$W6wmApmW$Lkj1Gb2YWfx43ZfL27O3H/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group DHCP_POOL_VLAN11 interface vlan.11
set system services dhcp-local-server group DHCP_POOL_VLAN12 interface vlan.12
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 description "MANAGEMENT INTERFACE"
set interfaces fe-0/0/0 unit 0 family inet address 192.168.12.20/24
set interfaces fe-0/0/1 unit 0 description "fe-0/0/1 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/2 unit 0 description "fe-0/0/2 TRUNK TO PARTNER FIREWALL "
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/4 unit 0 description "fe-0/0/4 TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members all
deactivate interfaces fe-0/0/4
set interfaces fe-0/0/5 unit 0 description "TRUNK TO DISTRIBUTION SWITCH"
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/6 unit 0 description "fe-0/0/6 TRUNK TO PARTNER SWITCH"
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces vlan unit 0 family inet
set interfaces vlan unit 11 description "VLAN UNIT 11"
set interfaces vlan unit 11 family inet address 172.23.11.10/24
set interfaces vlan unit 12 description "VLAN UNIT 12"
set interfaces vlan unit 12 family inet address 172.23.12.10/24
set protocols rstp bridge-priority 4k
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match source-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match destination-address any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST match application any
set security policies from-zone TRUST to-zone TRUST policy TRUST-to-TRUST then permit
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.12 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services dhcp
set security zones security-zone TRUST interfaces vlan.11 host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic system-services ssh
set security zones security-zone MGMT interfaces fe-0/0/0.0
set access address-assignment pool DHCP_POOL_VLAN11 family inet network 172.23.11.0/24
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 low 172.23.11.100
set access address-assignment pool DHCP_POOL_VLAN11 family inet range DHCP_RANGE_VLAN11 high 172.23.11.200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP_POOL_VLAN11 family inet dhcp-attributes router 172.23.11.10
set access address-assignment pool DHCP_POOL_VLAN12 family inet network 172.23.12.0/24
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 low 172.23.12.100
set access address-assignment pool DHCP_POOL_VLAN12 family inet range DHCP_RANGE_VLAN22 high 172.23.12.200
set access address-assignment pool DHCP_POOL_VLAN12 family inet dhcp-attributes router 172.23.12.10
set vlans v11 vlan-id 11
set vlans v11 l3-interface vlan.11
set vlans v12 vlan-id 12
set vlans v12 l3-interface vlan.12
set vlans v21 vlan-id 21
set vlans v22 vlan-id 22

TU ru ru ru rUUUUUUU